librsync and rsync vulnerability to maliciously crafted data.
was Re: MD4 checksum_seed
Eran Tromer
rsync2eran at tromer.org
Thu Apr 8 09:57:34 GMT 2004
Hi,
On 2004/04/05 07:21, Donovan Baarda wrote:
[snip]
> there are four ways crafted blocks can be use;
>
> 1) two crafted blocks in the "original" file
>
> 2) two crafted blocks in the "target" file
>
> 3) a crafted pair of "target" and "original" files with matching
> block(s)
>
> 4) a block in the "target" crafted to match a block in the "original"
[snip]
> Summary;
>
> case 2) has no impact
>
> case 4) is of minimal impact in rsync, and sufficiently hard in
> librsync.
>
> librsync needs a whole file checksum. Without it, it silently fails for
> case 1), 3), and 4).
>
> librsync could benefit from a random checksum_seed. It would need to be
> included in the signature. Without it librsync is vulnerable to cases 1)
> and 3).
[snip]
> rsync shouldn't need a fixed seed for batch modes... just store the seed
> in the signature. using a fixed seed makes it vulnerable to 1) and 3).
I fully agree with your analysis.
I'll just note that in many situations, case 2 can be elevated to case 3
simply by transferring the file twice.
Eran
More information about the rsync
mailing list