[UNIX] Rsync Unauthorised Directory Traversal and File Access (clean_fname)
From: SecuriTeam (support_at_securiteam.com)
Date: 08/17/04
- Previous message: SecuriTeam: "[UNIX] Konqueror Frame Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 17 Aug 2004 12:28:58 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Rsync Unauthorised Directory Traversal and File Access (clean_fname)
------------------------------------------------------------------------
SUMMARY
The rsync developers have discovered a security related problem in rsync,
a fast remote file copy program, which offers an attacker to access files
outside of the defined directory. To exploit this path-sanitizing bug,
rsync has to run in daemon mode with the chroot option being disabled. It
does not affect the normal send/receive filenames that specify what files
should be transferred. It does affect certain option paths that cause
auxiliary files to be read or written.
DETAILS
Vulnerable Systems:
* rsync version 2.6.2 and prior
Immune Systems:
* rsync version 2.6.3 or newer
There is a path-sanitizing bug that affects daemon mode in all recent
rsync versions (including 2.6.2) but only if chroot is disabled. It does
NOT affect the normal send/receive filenames that specify what files
should be transferred (this is because these names happen to get sanitized
twice, and thus the second call removes any lingering leading slash(es)
that the first call left behind). It does affect certain option paths that
cause auxiliary files to be read or written.
Solution:
The best fix is to apply this one-word patch to the sanitize_path()
function in util.c:
--- orig/util.c 2004-04-27 12:59:37 -0700
+++ util.c 2004-08-11 23:37:27 -0700
@@ -743,7 +743,7 @@
allowdotdot = 1;
} else {
p += 2;
- if (*p == '/')
+ while (*p == '/')
p++;
if (sanp != start) {
/* back up sanp one level */
This bug is fixed in the CVS version of rsync, and will be released in
version 2.6.3 (it is currently in release-testing).
One potential fix that doesn't require recompiling rsync is to set "use
chroot = true" for all the modules in the rsyncd.conf file.
ADDITIONAL INFORMATION
The information has been provided by <mailto:joey@infodrom.org> Martin
Schulze.
The original article can be found at:
<http://samba.anu.edu.au/rsync/#security_aug04>
http://samba.anu.edu.au/rsync/#security_aug04
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Konqueror Frame Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
