[UNIX] Rsync Unauthorised Directory Traversal and File Access (clean_fname)

From: SecuriTeam (support_at_securiteam.com)
Date: 08/17/04

  • Next message: SecuriTeam: "[NT] BlackIce Server Protect Unprivileged User Attack" 
    To: list@securiteam.com
Date: 17 Aug 2004 12:28:58 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Rsync Unauthorised Directory Traversal and File Access (clean_fname)
    ------------------------------------------------------------------------

    SUMMARY

    The rsync developers have discovered a security related problem in rsync,
    a fast remote file copy program, which offers an attacker to access files
    outside of the defined directory. To exploit this path-sanitizing bug,
    rsync has to run in daemon mode with the chroot option being disabled. It
    does not affect the normal send/receive filenames that specify what files
    should be transferred. It does affect certain option paths that cause
    auxiliary files to be read or written.

    DETAILS

    Vulnerable Systems:
     * rsync version 2.6.2 and prior

    Immune Systems:
     * rsync version 2.6.3 or newer

    There is a path-sanitizing bug that affects daemon mode in all recent
    rsync versions (including 2.6.2) but only if chroot is disabled. It does
    NOT affect the normal send/receive filenames that specify what files
    should be transferred (this is because these names happen to get sanitized
    twice, and thus the second call removes any lingering leading slash(es)
    that the first call left behind). It does affect certain option paths that
    cause auxiliary files to be read or written.

    Solution:
    The best fix is to apply this one-word patch to the sanitize_path()
    function in util.c:

    --- orig/util.c 2004-04-27 12:59:37 -0700
    +++ util.c 2004-08-11 23:37:27 -0700
    @@ -743,7 +743,7 @@
         allowdotdot = 1;
        } else {
         p += 2;
    - if (*p == '/')
    + while (*p == '/')
          p++;
         if (sanp != start) {
          /* back up sanp one level */

    This bug is fixed in the CVS version of rsync, and will be released in
    version 2.6.3 (it is currently in release-testing).

    One potential fix that doesn't require recompiling rsync is to set "use
    chroot = true" for all the modules in the rsyncd.conf file.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:joey@infodrom.org> Martin
    Schulze.
    The original article can be found at:
    <http://samba.anu.edu.au/rsync/#security_aug04>
    http://samba.anu.edu.au/rsync/#security_aug04

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] BlackIce Server Protect Unprivileged User Attack"

    Relevant Pages