wget may expose user IP address with FTP protocol (CVE-2015-7665) (#10364) · Issues · tails / tails

wget may expose user IP address with FTP protocol (CVE-2015-7665)

Originally created by @hybridwipe on #10364 (Redmine)

See

I’ve attached a patch that should address this according to the comments from that thread. However, I have not explicitly set up an FTP server to test the attack and the fix. I won’t be in a position to do so for a week or so, but would greatly appreciate if someone else would do that.

A bit of explanation for the patch, I’m using dpkg-divert to move the wget binary to /usr/share/tails/wget to remove it from $PATH. I originally tried moving it to /usr/bin/wget-real, but then noticed that invoking wget w/o any args exposes the true binary name:
wget-real: missing URL
Usage: wget-real [OPTION]… [URL]…

Try `wget-real —help’ for more options.

That isn’t great, but it’s also scary to have wget itself in $PATH (i.e., some debian packaged binary may call /usr/bin/wget directly, which would bypass torsocks!). In light of this, I thought it prudent to move it out of $PATH, and /usr/share/tails seemed like an appropriate place, though I’m open to discussion on that.

Please review.

Attachments

0001-use-dpkg-divert-to-replace-usr-bin-wget-instead-of-h.txt

Related issues

Copied to #10365

_Originally created by @hybridwipe on [#10364 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/10364)_

See

I’ve attached a patch that should address this according to the comments
from that thread. However, I have not explicitly set up an FTP server to
test the attack and the fix. I won’t be in a position to do so for a
week or so, but would greatly appreciate if someone else would do that.

A bit of explanation for the patch, I’m using dpkg-divert to move the
wget binary to /usr/share/tails/wget to remove it from $PATH. I
originally tried moving it to /usr/bin/wget-real, but then noticed that
invoking wget w/o any args exposes the true binary name:  
wget-real: missing URL  
Usage: wget-real \[OPTION\]… \[URL\]…

Try \`wget-real —help’ for more options.

That isn’t great, but it’s also scary to have wget itself in $PATH
(i.e., some debian packaged binary may call /usr/bin/wget directly,
which would bypass torsocks\!). In light of this, I thought it prudent
to move it out of $PATH, and /usr/share/tails seemed like an appropriate
place, though I’m open to discussion on that.

Please review.

### Attachments

* [0001-use-dpkg-divert-to-replace-usr-bin-wget-instead-of-h.txt](https://redmine.tails.boum.org/code/attachments/download/1015/0001-use-dpkg-divert-to-replace-usr-bin-wget-instead-of-h.txt)

### Related issues

- **Copied to** tails/tails#10365

Edited May 21, 2020 by hybridwipe

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.