Hi, thanks for the report. Is that still an issue on a recent version of Wget ? The version 1.17.1 you are using is very outdated.
We don't directly support windows binaries, but here is an unofficial website that provides for binary downloads: https://eternallybored.org/misc/wget/ If you find possible security issues, please do not make them public by writing to this mailing list. Instead open an issue at https://savannah.gnu.org/bugs/?func=additem&group=wget and set 'Privacy' to 'private'. Regards, Tim On 10/14/19 8:15 PM, A.K. Zidani wrote: > Hello there, > > I'm a security researcher and I think I found something interesting when > using wget to download a file under Windows's BASH environment. > > here is a quick poc I created: > https://addaxsoft.com/poc/AAAAAAAAA%bb%e4%b8%ad%e7AAAAAAAAAAAAAAAA > when you wget that file; wget will crash at: > > Program received signal SIGSEGV, Segmentation fault. > __memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161 > > 0x00007ffffe202ae6 <+374>: sub rax,rdx > 0x00007ffffe202ae9 <+377>: vzeroupper > 0x00007ffffe202aec <+380>: ret > 0x00007ffffe202aed <+381>: nop DWORD PTR [rax] > 0x00007ffffe202af0 <+384>: sub rcx,0xffffffffffffff80 > 0x00007ffffe202af4 <+388>: vmovd eax,xmm0 > => 0x00007ffffe202af8 <+392>: rep stos BYTE PTR es:[rdi],al > 0x00007ffffe202afa <+394>: mov rax,rsi > 0x00007ffffe202afd <+397>: sub rax,rdx > 0x00007ffffe202b00 <+400>: vzeroupper > 0x00007ffffe202b03 <+403>: ret > > registers: > (gdb) info registers > rax 0x20202020 538976288 > rbx 0xffffffffffffffff -1 > rcx 0xffffffffffff5387 -44153 > rdx 0xffffffffffffffff -1 > rsi 0x84b1387 139137927 > rdi 0x84bc000 139182080 > rbp 0x84b1140 0x84b1140 > rsp 0x7ffffffed558 0x7ffffffed558 > r8 0x0 0 > r9 0x1 1 > r10 0x7ffffffed4a8 140737488278696 > r11 0x8279880 136812672 > r12 0x7 7 > r13 0x7 7 > r14 0x82798f0 136812784 > r15 0x84b1388 139137928 > rip 0x7ffffe202af8 0x7ffffe202af8 <__memset_avx2+392> > eflags 0x10287 [ CF PF SF IF RF ] > cs 0x33 51 > ss 0x2b 43 > ds 0x0 0 > es 0x0 0 > fs 0x0 0 > gs 0x0 0 > > rdi is accessing inaccessible memory which the cause of the crash: > (gdb) x $rdi > 0x84bc000: Cannot access memory at address 0x84bc000 > > here is my wget -V output: > root@PC:~# wget -V > GNU Wget 1.17.1 built on linux-gnu. > > +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm > +opie -psl +ssl/openssl > > Wgetrc: > /etc/wgetrc (system) > Locale: > /usr/share/locale > Compile: > gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" > -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib > -I../../lib -Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include > -DHAVE_LIBSSL -DNDEBUG -g -O2 -fPIE -fstack-protector-strong > -Wformat -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 > -g -Wall > Link: > gcc -DHAVE_LIBSSL -DNDEBUG -g -O2 -fPIE -fstack-protector-strong > -Wformat -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 > -g -Wall -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro > -Wl,-z,now -L/usr/lib -lpcre -luuid -lssl -lcrypto -lz -lidn > ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a > > Copyright (C) 2015 Free Software Foundation, Inc. > Licence GPLv3+: GNU GPL version 3 or later > <http://www.gnu.org/licenses/gpl.html>. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Originally written by Hrvoje Niksic <[email protected]>. > Please send bug reports and questions to <[email protected]>. > > > > > > I didn't look into this further, but potentially I can have a memory write > if I get control of rdi and rax at some point in the code path, which may > lead to code execution as well. > > NOTE: this only crashes wget running in bash in a Windows environment. > not sure if this is the same as CVE-2019-5953, but I would like to > investigate further. > > > >
signature.asc
Description: OpenPGP digital signature
