An entirely different RCE in wget today:<p><a href="https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access" rel="nofollow">https://community.rapid7.com/community/metasploit/blog/2014/...</a>
This ftp is otherwise known as tnftp and originates with NetBSD.<p>It is part of their base install and is the only ftp/http client installed by default. It is the default client for installing packages.<p>Aside from the popen feature (-o"|utility" pipes output to utility), getting this program to segfault is quite easy. If you are concerned about security I would seek a workaround that you trust.<p>tnftp does not link to libfetch, but on NetBSD libfetch is still present (why? I am not sure), so a user could install fetch(1), the default ftp/http client from FreeBSD, which is available as a package, and it will work "out of the box". FreeBSD's fetch(1) does link to libfetch.<p>There is also example code for a libfetch-linked client in the NetBSD source tree.<p>Whether the fetch(1) client has security issues of it own, I do not know, but at least it does not implement the popen feature.
The exploit mechanism is a bit dodgy in TFA, so I wrote a proof of concept exploit using python for testing systems[1].<p>[1] - <a href="http://lab.dreamcats.org/ftp_exp.py" rel="nofollow">http://lab.dreamcats.org/ftp_exp.py</a>