[Bug 15122] New: Potential vulnerability: rsync creates files outside the target directory
samba-bugs at samba.org
samba-bugs at samba.org
Thu Jul 14 22:04:17 UTC 2022
https://bugzilla.samba.org/show_bug.cgi?id=15122
Bug ID: 15122
Summary: Potential vulnerability: rsync creates files outside
the target directory
Product: rsync
Version: 3.2.0
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: core
Assignee: wayne at opencoder.net
Reporter: azb254 at psu.edu
QA Contact: rsync-qa at samba.org
Target Milestone: ---
Created attachment 17422
--> https://bugzilla.samba.org/attachment.cgi?id=17422&action=edit
POC of vulnerability
The problem arises when trying to copy from a "case-sensitive" source to a
"case-insensitive" target. The copy involves directories, files, and symbolic
links (to directories). A maliciously crafted source directory can result in
rsync following symbolic links and writing data outside the target directory.
For a concrete example, consider the following source directory structure:
SRC/
topdir/
secret (symlink to /tmp)
TOPDIR/
secret/
config (file)
We use rsync to recursively copy from SRC/ to TARGET/.
Command: "rsync -a SRC/ TARGET/"
Additionally, TARGET/ is on case-insensitive filesystem.
Problem: During the copy, rsync creates the TOPDIR/secret/config (file) by
following the symbolic link "topdir/secret". Hence, /tmp/config is created by
rsync.
We found a flag called: --copy-links which makes rsync follow symlinks at
source before doing the copy. However, my understanding is that rsync should
not follow symbolic links at the target, esp. the symbolic links it creates.
I have attached a POC script that demonstrates this behavior. I have tested it
on rsync versions 3.2.3 and 3.1.3. Compiling the latest version (3.2.4) of
rsync results in an error during the ./configure step. Hence, I could not test
it.
Running Proof of concept script:
The script requires two command line arguments:
- Argument 1 = any empty case-sensitive directory
- Argument 2 = any empty case-insensitive directory
Example of invoking script for WSL:
./rsync-poc.sh ~/src /mnt/c/Users/xyz/dst
--
You are receiving this mail because:
You are the QA Contact for the bug.
More information about the rsync
mailing list