Vulnerability Note VU#325603

Integer overflow vulnerability in rsync

Original Release date: 09 Dec 2003 | Last revised: 01 May 2006

Overview

Some versions of the rsync program contain a remotely exploitable vulnerability. This vulnerability may allow an attacker to execute arbitrary code on the target system.

Description

rsync is an open source utility that provides fast incremental file transfer. It features the ability to operate as either a client or server when transferring data over a network.

An integer overflow error has been discovered in a portion of rsync's memory handling routines. An attacker sending an extremely large, specifically crafted file may be able to exploit this error to execute arbitrary code from the heap of the rsync process address space. This error results in a vulnerability primarily when the rsync program is used in server mode, accepting input from remote clients over the network.

Versions of the rsync software 2.5.6 and earlier contain this flaw. Note: We have received reports of this vulnerability being used to successfully compromise systems.

Impact

An attacker may be able to execute arbitrary code in the context of the user running the rsync server, often root.

Solution

Apply patches

rsync version 2.5.7 has been released and contains patches to address this vulnerability.

Users using packaged versions of the rsync software are encouraged to review the vendor information in the Systems Affected section of this document for more details. Users compiling the rsync software from the distribution source code can obtain the patched version from the rsync homepage.

Workarounds


Administrators, particularly those who are unable to apply the patches in a timely fashion, are encouraged to consider implementing the following workarounds:

  • Disable the rsync service on systems that do not require it to be running.
  • Filter access to the rsync service. The rsync service normally runs on port 873/tcp. Limiting access to this port from trusted clients may reduce exposure to this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Affected-21 Jan 2004
Debian LinuxAffected-08 Dec 2003
FreeBSD, Inc.Affected-08 Dec 2003
Gentoo LinuxAffected-02 Aug 2005
Guardian Digital Inc. Affected-08 Dec 2003
ImmunixAffected-02 Aug 2005
Mandriva, Inc.Affected-08 Dec 2003
OpenBSDAffected-08 Dec 2003
OpenPKGAffected-02 Aug 2005
SCOAffected-02 Aug 2005
SGIAffected-21 Jan 2004
SlackwareAffected-08 Dec 2003
SUSE LinuxAffected-08 Dec 2003
Trustix Secure LinuxAffected-08 Dec 2003
TurboLinuxAffected-08 Dec 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Timo Sirainen originally discovered and reported this vulnerability. The rsync development team credits Mike Warfield, Paul Russell, and Andrea Barisani with providing additional information that led to the development of a fix and advisory.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CVE-2003-0962
  • Date Public: 03 Oct 2003
  • Date First Published: 09 Dec 2003
  • Date Last Updated: 01 May 2006
  • Severity Metric: 29.40
  • Document Revision: 28

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.