rsync over ssh - possible attack vectors
gsullivan.mlists.only at googlemail.com
Thu Apr 15 18:16:21 MDT 2010
First my setup:
I connect from Debian Lenny to Ubuntu Karmic with a command like:
user1 at localserver:$ rsync -rtcve ssh user1 at remoteserver:/.../ /local/.../
(using default versions of ssh and rsync in the vendor repos,
ssh with password authentication)
As far as I understand if localserver got compromised an
attacker could read the password and then get full access
to remoteserver as user1.
SSH protects against attacks from a 3rd system on the network.
But what I'm interested in is what happens if remoteserver
is compromised? Obviously it could feed bad data or trigger
a remote vulnerability in rsync or ssh (0day buffer overflow, whatever)
to get system access on localserver.
I'm not worried about any of these vectors, the last one isn't very
likely (and I can't do anything about it anyway) and the first doesn't
concern me because localserver is a locked down backup server
whereas remoteserver is an internet-facing server.
Data corruption can be detected using the checksumming option.
Now to my actual question:
Have I missed one attack vector: Could attacker X on
remoteserver alter the rsync binary in such a way so it can traverse
and change or read arbitrary files on localserver? Does running above
command execute remote code or give remoteserver any kind of system
access to localserver (does the ssh tunnel work both ways???)
or is it "pumping" data through a dumb pipe just like for example rsync
over a samba share would and leaving all control to local?
Sorry if this sounds like a dumb question, I searched but couldn't
find a definite answer. I'm also using rsync with "-c" as some kind
of poor man's HIDS so security is paramount. remoteserver is
as mentioned a webserver, it's question of when, not if, it gets
compromised, localserver handles sensitive files. Maybe not that drastic,
but you get the picture. To sum it up the question is, what's the risk
connecting these two systems? I thought about alternatives but couldn't
come up with anything practical (for example using two separate backup
systems or using offline storage to transfer the data).
Please also tell me if I missed anything else.
More information about the rsync