CVE-2017-13089

HIGH

GNU Wget < 1.19.2 - Heap-Based Buffer Overflow via Negative Chunk Length

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-13089. PoCs published by mzeyong, r1b.

AI-analyzed exploit summary This PoC generates a payload for CVE-2017-13089, a vulnerability in Wi-Fi Protected Setup (WPS) that allows remote code execution via a malformed HTTP chunked encoding request. The shellcode is placeholder and requires manual adjustment for the target environment.

Description

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.

Exploits (2)

nomisec WORKING POC 55 stars
by mzeyong · poc
https://github.com/mzeyong/CVE-2017-13089

This PoC generates a payload for CVE-2017-13089, a vulnerability in Wi-Fi Protected Setup (WPS) that allows remote code execution via a malformed HTTP chunked encoding request. The shellcode is placeholder and requires manual adjustment for the target environment.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Wi-Fi Protected Setup (WPS) implementations (e.g., certain routers)
No auth needed
Prerequisites: Network access to vulnerable WPS endpoint · Manual adjustment of shellcode address
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 52 stars
by r1b · poc
https://github.com/r1b/CVE-2017-13089

This repository contains a non-working exploit PoC for CVE-2017-13089, targeting wget v1.19.1. It includes a DoS script and a placeholder exploit script, but the README explicitly states it is under development and not functional.

Classification
Stub 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Theoretical
Target: wget v1.19.1
No auth needed
Prerequisites: Docker environment with ASLR disabled · wget v1.19.1 compiled without stack protector
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Issue Tracking, Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201711-06
Issue Tracking, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-4008
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f
Issue Tracking, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101592
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/r1b/CVE-2017-13089
Issue Tracking, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039661
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3075

Scores

CVSS v3 8.8
EPSS 0.7985
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-119 CWE-121
Status published
Products (4)
debian/debian_linux 8.0
debian/debian_linux 9.0
gnu/wget < 1.19.1
GNU Project/Wget prior to 1.19.2
Published Oct 27, 2017
Tracked Since Feb 18, 2026