rsync prior 2.6.3 path sanitation vulnerability 1.2
 
Plugin ID99
Plugin namersync prior 2.6.3 path sanitation vulnerability
Plugin filenamersync prior 2.6.3 path sanitation vulnerability.plugin
Plugin filesize3875 bytes
Plugin familyMisc
Plugin created nameMarc Ruef
Plugin created emailmarc dot ruef at computec dot ch
Plugin created webhttp://www.computec.ch
Plugin created companycomputec.ch
Plugin created date2004/08/17
Plugin updated nameMarc Ruef
Plugin updated emailmarc dot ruef at computec dot ch
Plugin updated webhttp://www.computec.ch
Plugin updated companycomputec.ch
Plugin updated date2004/11/13
Plugin version1.2
Plugin changelogCorrected the plugin structure and added the accuracy values in 1.2
Plugin protocoltcp
Plugin port873
Plugin procedure detectionopen|sleep|close|pattern_exists *@RSYNCD:*[0-2]*
Plugin detection accuracy90
Plugin commentCheck is copied from the Nessus plugin (see Nessus ID listed in the sources). SuSE has its own advisory for this bug at http://www.suse.de/security/2004_26_rsync.html (Nessus ID 14276).
Bug published webhttp://rsync.samba.org
Bug published companyrsync Team
Bug published date2004/08/12
Bug advisoryhttp://samba.org/rsync/#security_aug04
Bug affectedrsync 2.3.1 bis rsync 2.6.2
Bug not affectedrsync 2.6.3
Bug vulnerability classWeak Authentication
Bug descriptionA vulnerability has been reported in rsync, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system. The vulnerability is caused due to an input validation error. An attacker, exploiting this flaw, would need network access to the rsyncd service as well as the ability to craft a malicious packet which, when interpreted by rsyncd, would give 'read' access to a file outside of the rsync configured directory structure. Successful exploitation requires that the rsync daemon isn't running chrooted. At least one default implementation of rsyncd utilizes chroot by default.
Bug solutionUpgrade to rsync 2.6.3 or newer. The server should be deactivated or de-installed if not necessary. To make it harder to find the server the daemon could be configured to listen at another port (e.g. 8081). Try to prevent unwanted connection attempts by filtering traffic with firewalling. Alternation of the application banner can confuse an attacker and let him determine the wrong software.
Bug fixing timeApprox. 2 hours
Bug exploit availabilityNo
Bug exploit urlhttp://www.securityfocus.com/bid/10938/exploit/
Bug remoteYes
Bug localYes
Bug severityMedium
Bug popularity5
Bug simplicity6
Bug impact8
Bug risk6
Bug Nessus riskHigh
Bug check toolsNessus
Source SecurityFocus BID10938
Source Secunia ID12294
Source Heise Security50061
Source Nessus ID14277
Source LiteratureHacking Exposed: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray and George Kurtz, February 25, 2003, 4th Edition, McGraw-Hill Osborne Media, ISBN 0072227427
Source Misc.http://www.securityfocus.com/advisories/7071

This file was generated by the Attack Tool Kit (ATK), the open-sourced security scanner and exploiting framework.