Hi! I just noticed a security problem with wget:
If a non-priv user owns a file (/tmp/test), and the root user downloads a file with the same name (wget -O /tmp/test), the new-created file still owns to the former user!!! EXAMPLE: ================================================================================================== borja@PanoramaBar ~ $ cd /tmp/ borja@PanoramaBar tmp $ id uid=1000(borja) gid=1000(borja) grupos=1000(borja) borja@PanoramaBar tmp $ borja@PanoramaBar tmp $ wget -q www.marca.es borja@PanoramaBar tmp $ ls -lah index.html -rw-r--r-- 1 borja borja 297K mar 14 14:01 index.html borja@PanoramaBar tmp $ borja@PanoramaBar tmp $ PanoramaBar ~ # PanoramaBar ~ # cd /tmp/ PanoramaBar tmp # wget -q -O index.html www.marca.es PanoramaBar tmp # ls -lah index.html -rw-r--r-- 1 borja borja 297K mar 14 14:02 index.html PanoramaBar tmp # id uid=0(root) gid=0(root) grupos=0(root) PanoramaBar tmp # ================================================================================================== This can lead to race-condition attacks and privilege scalation. The new downloaded file must own to the user who exec the wget command. Regards. -- Borja Ruiz-Castro Senior Security Consultant QA testing engineer *AlienVault Europe* C/Cronos 63, Planta 2a, Oficina 6 CP: 28037 Madrid, Spain Tlf +34 91 515-1344 Fax +34 91 413-5968
