CVE-2024-38428: GNU wget vulnerability in handling userinfo subcomponent in URIs might cause insecure data interpretation
___
Introduction
CVE-2024-38428 refers to a vulnerability present in the url.c code in GNU wget versions up to 1.24.5. This vulnerability stems from the mishandling of semicolons within the userinfo subcomponent of a URI. As such, it is possible for sensitive data, such as usernames and passwords, meant to be part of the userinfo subcomponent to be misinterpreted as part of the host subcomponent.
When exploiting this vulnerability, an attacker can potentially reveal sensitive data or execute unauthorized actions on the targeted host. The objective of this post is to raise awareness of this security flaw and provide relevant resources to mitigate any potential risks.
The vulnerability is found in the url.c file of GNU wget, specifically in the following code block
static bool check_userinfo (const char *start, const char *end)
{
const char *p;
for (p = start; p < end; p++)
if (*p == ';' || *p == '?' || *p == '@' || *p == '/') /* problematic line */
break;
return p < end; /* true if one of the problematic chars is seen */
}
This function is responsible for detecting the presence of a userinfo subcomponent in a URI. The problematic line of code does not appropriately handle semicolons, leading to the misinterpretation of data in the URI.
Original References
1. GNU wget Official site
2. CVE-2024-38428
3. url.c code in GNU Wget
Exploit Details
An attacker may exploit this vulnerability by carefully crafting a malicious URI containing a semicolon within the userinfo subcomponent. When the vulnerable GNU wget software encounters such a URI, it might misinterpret the parts of the URI and bypass certain security measures.
For example, consider the following URI
http://user;evil.com@trustedwebsite.com
The userinfo should be "user;" and the host should be "trustedwebsite.com". However, due to the vulnerability in GNU wget, it interprets the userinfo as "user" and the host as "evil.com@trustedwebsite.com".
This could lead to an attacker redirecting wget requests to their server, potentially revealing sensitive data, exposing private keys, or taking other unauthorized actions.
To protect against this exploit, it is recommended that users update to a patched version of GNU wget or use alternative software for fetching content over HTTP/HTTPS. This vulnerability has been fixed in GNU wget 1.25, so updating to this version or later will protect against this exploit.
Timeline
Published on: 06/16/2024 03:15:08 UTC
Last modified on: 08/08/2024 15:05:30 UTC