Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Wget HTTP non-200 negative chunk-size buffer overflow attempt

Rule Explanation

This event is generated when an attempt to exploit CVE-2017-13089 is detected. Impact: Web Application Attack Details: Wget can accept HTTP responses using chunked encoding. Due to typecasting, very large negative values will result in a heap buffer overflow. An attacker may respond to an HTTP GET request with a response of any type other than HTTP 200 OK, with chunked encoding and a chunk with a very large negative size value to exploit this vulnerability. Successful exploitation may result in arbitrary code execution with privileges of the user running Wget, or abnormal program termination. Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives


Cisco Talos Intelligence Group

MITRE ATT&CK Framework



For reference, see the MITRE ATT&CK vulnerability types here:


Additional Links

Rule Vulnerability

CVE Additional Information

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.
Severity Base Score8.8
Impact Score5.9 Exploit Score2.8
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGH Attack VectorNETWORK
Authentication Ease of AccessLOW
Privileges RequiredNONE