[Bug 15122] New: Potential vulnerability: rsync creates files outside the target directory

samba-bugs at samba.org samba-bugs at samba.org
Thu Jul 14 22:04:17 UTC 2022 

https://bugzilla.samba.org/show_bug.cgi?id=15122

            Bug ID: 15122
           Summary: Potential vulnerability: rsync creates files outside
                    the target directory
           Product: rsync
           Version: 3.2.0
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: core
          Assignee: wayne at opencoder.net
          Reporter: azb254 at psu.edu
        QA Contact: rsync-qa at samba.org
  Target Milestone: ---

Created attachment 17422
  --> https://bugzilla.samba.org/attachment.cgi?id=17422&action=edit
POC of vulnerability

The problem arises when trying to copy from a "case-sensitive" source to a
"case-insensitive" target. The copy involves directories, files, and symbolic
links (to directories). A maliciously crafted source directory can result in
rsync following symbolic links and writing data outside the target directory.

For a concrete example, consider the following source directory structure:
SRC/
  topdir/
     secret (symlink to /tmp)
  TOPDIR/
     secret/
        config (file)

We use rsync to recursively copy from SRC/ to TARGET/.
Command: "rsync -a SRC/ TARGET/"
Additionally, TARGET/ is on case-insensitive filesystem.

Problem: During the copy, rsync creates the TOPDIR/secret/config (file) by
following the symbolic link "topdir/secret". Hence, /tmp/config is created by
rsync.

We found a flag called: --copy-links which makes rsync follow symlinks at
source before doing the copy. However, my understanding is that rsync should
not follow symbolic links at the target, esp. the symbolic links it creates.

I have attached a POC script that demonstrates this behavior. I have tested it
on rsync versions 3.2.3 and 3.1.3. Compiling the latest version (3.2.4) of
rsync results in an error during the ./configure step. Hence, I could not test
it.

Running Proof of concept script:
The script requires two command line arguments:
- Argument 1 = any empty case-sensitive directory
- Argument 2 = any empty case-insensitive directory

Example of invoking script for WSL:
./rsync-poc.sh ~/src /mnt/c/Users/xyz/dst

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

More information about the rsync mailing list