Created attachment 17422 [details]
POC of vulnerability
The problem arises when trying to copy from a "case-sensitive" source to a "case-insensitive" target. The copy involves directories, files, and symbolic links (to directories). A maliciously crafted source directory can result in rsync following symbolic links and writing data outside the target directory.
For a concrete example, consider the following source directory structure:
secret (symlink to /tmp)
We use rsync to recursively copy from SRC/ to TARGET/.
Command: "rsync -a SRC/ TARGET/"
Additionally, TARGET/ is on case-insensitive filesystem.
Problem: During the copy, rsync creates the TOPDIR/secret/config (file) by following the symbolic link "topdir/secret". Hence, /tmp/config is created by rsync.
We found a flag called: --copy-links which makes rsync follow symlinks at source before doing the copy. However, my understanding is that rsync should not follow symbolic links at the target, esp. the symbolic links it creates.
I have attached a POC script that demonstrates this behavior. I have tested it on rsync versions 3.2.3 and 3.1.3. Compiling the latest version (3.2.4) of rsync results in an error during the ./configure step. Hence, I could not test it.
Running Proof of concept script:
The script requires two command line arguments:
- Argument 1 = any empty case-sensitive directory
- Argument 2 = any empty case-insensitive directory
Example of invoking script for WSL:
./rsync-poc.sh ~/src /mnt/c/Users/xyz/dst