CVE-2017-13090 in wget
Summary
by MITRE
The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/04/2023
The vulnerability identified as CVE-2017-13090 resides within the wget command-line utility, specifically in the handling of chunked HTTP responses during the processing of OK responses. This flaw manifests in the retr.c file where the fd_read_body() function is invoked, creating a critical pathway for memory corruption attacks. The issue affects wget versions prior to 1.19.2, making it a significant concern for systems utilizing older versions of this widely deployed tool.
The technical root cause stems from inadequate input validation within the chunked transfer encoding parser. When wget encounters chunked responses, it employs the strtol() function to parse each chunk's length specification from the HTTP response. The parser fails to validate that the parsed chunk length represents a non-negative value, creating an exploitable condition. This oversight allows malicious HTTP responses to contain negative chunk length values that bypass normal validation checks.
The operational impact becomes critical when the system attempts to read these malformed chunks. The code utilizes a MIN() macro to process chunks in 8192-byte pieces, but due to the unchecked negative values, the system passes these invalid lengths directly to the fd_read() function. Since fd_read() accepts an integer argument, negative values undergo sign extension and bit truncation, effectively converting the attacker-controlled negative length into a large positive integer. This conversion process results in the high 32 bits of the chunk length being discarded, leaving the function with a completely controllable argument that can exceed the bounds of allocated memory buffers.
The memory corruption potential represents a severe security risk that aligns with CWE-191, which describes integer underflow conditions, and CWE-190, covering integer overflow vulnerabilities. This vulnerability also maps to ATT&CK technique T1059.007 for execution through command-line interfaces, as the compromised wget process could potentially be leveraged for further system compromise. The flaw enables an attacker to manipulate malloc metadata structures, potentially leading to arbitrary code execution or denial of service conditions. This type of heap corruption vulnerability is particularly dangerous because it can be exploited to gain unauthorized control over the application's memory management, creating opportunities for privilege escalation and persistent system compromise.
Mitigation strategies should prioritize immediate patching of wget to version 1.19.2 or later, which implements proper validation of chunk lengths and prevents negative values from being processed. Organizations should also consider implementing network-level controls that monitor and filter HTTP responses for malformed chunked encoding, particularly when wget is used in automated or untrusted network environments. Additionally, system administrators should conduct thorough vulnerability assessments to identify any systems running affected wget versions and ensure comprehensive patch management protocols are in place to prevent similar issues from arising in other network utilities.