CVE-2018-1000517
published 2018-06-26CVE-2018-1000517: BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
32.38%
98.1th percentile
BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| busybox | busybox | < 1.29.0 | 1.29.0 |
| busybox | busybox | >= 0 < 1:1.27.2-3 | 1:1.27.2-3 |
| busybox | busybox | >= 0 < 1:1.27.2-3 | 1:1.27.2-3 |
| busybox | busybox | >= 0 < 1:1.27.2-3 | 1:1.27.2-3 |
| busybox | busybox | >= 0 < 1:1.27.2-3 | 1:1.27.2-3 |
| busybox | busybox | >= 0 < 1:1.21.0-1ubuntu1.4 | 1:1.21.0-1ubuntu1.4 |
| busybox | busybox | >= 0 < 1:1.22.0-15ubuntu1.4 | 1:1.22.0-15ubuntu1.4 |
| busybox | busybox | >= 0 < 1:1.27.2-2ubuntu3.2 | 1:1.27.2-2ubuntu3.2 |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | busybox | < busybox 1:1.27.2-3 (bookworm) | busybox 1:1.27.2-3 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is only triggerable during HTTP chunked transfer encoding. Monitor for HTTP chunked responses delivered to BusyBox wget clients, particularly where chunk sizes are attacker-controlled and abnormally large. ↗
- →The exploit mechanism involves sending an HTTP chunk with a size value that, when cast to a signed off_t, bypasses length checks and passes a large attacker-controlled value to fread(), causing a heap buffer overflow. Look for oversized or sign-boundary chunk length values in HTTP chunked responses targeting embedded/IoT devices running BusyBox wget. ↗
- →Exploitation requires network connectivity — flag inbound HTTP responses with malformed or oversized chunked Transfer-Encoding headers directed at BusyBox wget processes on IoT/embedded firmware. ↗
- ·The vulnerability only affects BusyBox wget prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e (fixed in BusyBox 1.29.0, released 1 July 2018). GNU wget shipped in RHEL/Fedora is a separate codebase and is NOT affected. ↗
- ·RHEL 5 and RHEL 6 are listed as Not Affected. The vulnerable chunked-transmission code path is gated by G.got_clen logic that prevents exploitation on those builds. ↗
- ·Debian fixed this in busybox package version 1:1.27.2-3 across bookworm, bullseye, forky, sid, and trixie. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
BusyBox vulnerabilities
vendor_ubuntu·2019-04-03·CVSS 7.5
CVE-2011-5325 [HIGH] BusyBox vulnerabilities
Title: BusyBox vulnerabilities
Summary: Several security issues were fixed in BusyBox.
Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar
archives. If a user or automated system were tricked into processing a
specially crafted tar archive, a remote attacker could overwrite arbitrary
files outside of the current directory. This issue only affected Ubuntu
14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)
Mathias Krause discovered that BusyBox incorrectly handled kernel module
loading restrictions. A local attacker could possibly use this issue to
bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-9645)
It was discovered that BusyBox incorrectly handled certain ZIP archives. If
a user or automated system were tricked into processing a
Red Hat
busybox: wget: Heap-based buffer overflow in the retrieve_file_data() function
vendor_redhat·2018-04-08·CVSS 9.8
CVE-2018-1000517 [CRITICAL] CWE-122 busybox: wget: Heap-based buffer overflow in the retrieve_file_data() function
busybox: wget: Heap-based buffer overflow in the retrieve_file_data() function
BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.
Package: busybox (Red Hat Enterprise Linux 5) - Not affected
Package: busybox (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2018-1000517: busybox - BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1...
vendor_debian·2018·CVSS 9.8
CVE-2018-1000517 [CRITICAL] CVE-2018-1000517: busybox - BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1...
BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.
Scope: local
bookworm: resolved (fixed in 1:1.27.2-3)
bullseye: resolved (fixed in 1:1.27.2-3)
forky: resolved (fixed in 1:1.27.2-3)
sid: resolved (fixed in 1:1.27.2-3)
trixie: resolved (fixed in 1:1.27.2-3)
GHSA
GHSA-m9j3-9rqj-pg6p: BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget
ghsa_unreviewed·2022-05-13
CVE-2018-1000517 [CRITICAL] CWE-120 GHSA-m9j3-9rqj-pg6p: BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget
BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.
OSV
busybox vulnerabilities
osv·2019-04-03·CVSS 7.5
CVE-2011-5325 [HIGH] busybox vulnerabilities
busybox vulnerabilities
Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar
archives. If a user or automated system were tricked into processing a
specially crafted tar archive, a remote attacker could overwrite arbitrary
files outside of the current directory. This issue only affected Ubuntu
14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)
Mathias Krause discovered that BusyBox incorrectly handled kernel module
loading restrictions. A local attacker could possibly use this issue to
bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-9645)
It was discovered that BusyBox incorrectly handled certain ZIP archives. If
a user or automated system were tricked into processing a specially crafted
ZIP archive, a remote attacker could cause Bu
OSV
CVE-2018-1000517: BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget
osv·2018-06-26·CVSS 9.8
CVE-2018-1000517 [CRITICAL] CVE-2018-1000517: BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget
BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-1000517 busybox: wget: Heap-based buffer overflow in the retrieve_file_data() function [fedora-all]
bugzilla·2018-06-27·CVSS 9.8
CVE-2018-1000517 [CRITICAL] CVE-2018-1000517 busybox: wget: Heap-based buffer overflow in the retrieve_file_data() function [fedora-all]
CVE-2018-1000517 busybox: wget: Heap-based buffer overflow in the retrieve_file_data() function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affe
Bugzilla
CVE-2018-1000517 busybox: wget: Heap-based buffer overflow in the retrieve_file_data() function
bugzilla·2018-06-27·CVSS 9.8
CVE-2018-1000517 [CRITICAL] CVE-2018-1000517 busybox: wget: Heap-based buffer overflow in the retrieve_file_data() function
CVE-2018-1000517 busybox: wget: Heap-based buffer overflow in the retrieve_file_data() function
A heap buffer overflow vulnerability was found in wget.
Upstream patch:
https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e
Discussion:
Created wget tracking bugs for this issue:
Affects: fedora-all [bug 1595596]
---
(In reply to Andrej Nemec from comment #0)
> A heap buffer overflow vulnerability was found in wget.
>
> Upstream patch:
>
> https://git.busybox.net/busybox/commit/
> ?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e
That is definitely not an upstream git and that file does not exist in wget. It is probably some "custom" busybox implementation of "wget" command, but it does not seem to have much in common with GNU wget we ship in RHEL and Fedora.
Bugzilla
CVE-2018-1000517 wget: Heap-based buffer overflow in the retrieve_file_data() function [fedora-all]
bugzilla·2018-06-27·CVSS 9.8
CVE-2018-1000517 [CRITICAL] CVE-2018-1000517 wget: Heap-based buffer overflow in the retrieve_file_data() function [fedora-all]
CVE-2018-1000517 wget: Heap-based buffer overflow in the retrieve_file_data() function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
arXiv
MIRAGE: Multi-Binary Image Risk Assessment with Attack Graph Employment
arxiv_fulltext·2023-11-06
MIRAGE: Multi-Binary Image Risk Assessment with Attack Graph Employment
MIRAGE: Multi-Binary Image Risk Assessment with Attack Graph Employment
David Tayouri, Telem Nachum, Asaf Shabtai
Dept. of Software and Information Systems Engineering
Ben-Gurion University of the Negev
Beer-Sheva, Israel
\davidtay,telemn\@post.bgu.ac.il, [email protected]
## Abstract
Attackers can exploit known vulnerabilities to infiltrate a device's firmware and the communication between firmware binaries, in order to pass between them.
To improve cybersecurity, organizations must identify and mitigate the risks of the firmware they use.
An attack graph (AG) can be used to assess and visually display firmware's risks by organizing the identified vulnerabilities into attack paths composed of sequences of actions attackers may perform to compromise firmware images.
In this paper,
https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686ehttps://lists.debian.org/debian-lts-announce/2018/07/msg00037.htmlhttps://lists.debian.org/debian-lts-announce/2021/02/msg00020.htmlhttps://usn.ubuntu.com/3935-1/https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686ehttps://lists.debian.org/debian-lts-announce/2018/07/msg00037.htmlhttps://lists.debian.org/debian-lts-announce/2021/02/msg00020.htmlhttps://usn.ubuntu.com/3935-1/
2018-06-26
Published