SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.
SERVER-WEBAPP Wget HTTP non-200 negative chunk-size buffer overflow attempt
This event is generated when an attempt to exploit CVE-2017-13089 is detected.
Web Application Attack
Wget can accept HTTP responses using chunked encoding. Due to typecasting, very large negative values will result in a heap buffer overflow. An attacker may respond to an HTTP GET request with a response of any type other than HTTP 200 OK, with chunked encoding and a chunk with a very large negative size value to exploit this vulnerability. Successful exploitation may result in arbitrary code execution with privileges of the user running Wget, or abnormal program termination.
Ease of Attack:
What To Look For
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2017-13089The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.
||Ease of Access||LOW