CVE-2017-13089

HIGH

Description

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.

References

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f

http://www.debian.org/security/2017/dsa-4008

http://www.securityfocus.com/bid/101592

http://www.securitytracker.com/id/1039661

https://access.redhat.com/errata/RHSA-2017:3075

https://github.com/r1b/CVE-2017-13089

https://security.gentoo.org/glsa/201711-06

https://www.synology.com/support/security/Synology_SA_17_62_Wget

https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html

Details

Source: MITRE

Published: 2017-10-27

Updated: 2017-12-30

Type: CWE-119

Risk Information

CVSS v2.0

Base Score: 9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 8.6

Severity: HIGH

CVSS v3.0

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.8

Severity: HIGH

Tenable Plugins

View all (25 total)

ID	Name	Product	Family	Severity
124920	EulerOS Virtualization 3.0.1.0 : wget (EulerOS-SA-2019-1417)	Nessus	Huawei Local Security Checks	high
124916	EulerOS Virtualization for ARM 64 3.0.1.0 : wget (EulerOS-SA-2019-1413)	Nessus	Huawei Local Security Checks	high
121766	Photon OS 1.0: Wget PHSA-2017-0047	Nessus	PhotonOS Local Security Checks	high
121765	Photon OS 2.0: Wget PHSA-2017-0046	Nessus	PhotonOS Local Security Checks	high
119236	Virtuozzo 7 : wget (VZLSA-2017-3075)	Nessus	Virtuozzo Local Security Checks	high
111896	Photon OS 1.0: Wget PHSA-2017-0047 (deprecated)	Nessus	PhotonOS Local Security Checks	high
111895	Photon OS 2.0: Wget PHSA-2017-0046 (deprecated)	Nessus	PhotonOS Local Security Checks	high
105816	Fedora 27 : wget (2017-10fbce01ec)	Nessus	Fedora Local Security Checks	high
104650	SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2017:2871-2)	Nessus	SuSE Local Security Checks	high
104609	Fedora 25 : wget (2017-de8a421dcd)	Nessus	Fedora Local Security Checks	high
104514	GLSA-201711-06 : GNU Wget: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
104452	Fedora 26 : wget (2017-f0b3231763)	Nessus	Fedora Local Security Checks	high
104295	EulerOS 2.0 SP2 : wget (EulerOS-SA-2017-1270)	Nessus	Huawei Local Security Checks	high
104294	EulerOS 2.0 SP1 : wget (EulerOS-SA-2017-1269)	Nessus	Huawei Local Security Checks	high
104240	openSUSE Security Update : wget (openSUSE-2017-1210)	Nessus	SuSE Local Security Checks	high
104226	FreeBSD : wget -- Stack overflow in HTTP protocol handling (09849e71-bb12-11e7-8357-3065ec6f3643)	Nessus	FreeBSD Local Security Checks	high
104223	Debian DSA-4008-1 : wget - security update	Nessus	Debian Local Security Checks	high
104221	Debian DLA-1149-1 : wget security update	Nessus	Debian Local Security Checks	high
104218	CentOS 7 : wget (CESA-2017:3075)	Nessus	CentOS Local Security Checks	high
104216	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : wget (SSA:2017-300-02)	Nessus	Slackware Local Security Checks	high
104211	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : wget vulnerabilities (USN-3464-1)	Nessus	Ubuntu Local Security Checks	high
104207	Scientific Linux Security Update : wget on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	high
104205	RHEL 7 : wget (RHSA-2017:3075)	Nessus	Red Hat Local Security Checks	high
104200	Oracle Linux 7 : wget (ELSA-2017-3075)	Nessus	Oracle Linux Local Security Checks	high
104182	Amazon Linux AMI : wget (ALAS-2017-916)	Nessus	Amazon Linux Local Security Checks	high