Vulnerability Note VU#800635

rsync fails to properly handle negative values specified for signed integers thereby allowing remote command execution

Overview

There exist several signed-integer vulnerabilities in rsync. If rsync is run as a daemon, a remote-root compromise may be possible.

I. Description

Included in most distributions of Linux, rsync is a popular tool for synchronizing files across multiple hosts. Though not enabled in the default configuration, rsync can be run as a daemon to facilitate the distribution of files to FTP mirror sites.

Researchers have found several vulnerabilities in rsync, resulting from the use of signed integer variables. If rsync receives negative integers where it expects positive integers, it can forced to overwrite arbitrary bytes of the stack with zeroes (null-bytes).

II. Impact

The rsync process can be used to exploited to execute arbitrary code. If rsync is run as a daemon, a remote attacker can execute arbitrary code as the owner of the rsync process, generally root.

III. Solution

Apply a patch from your vendor.

Use the "chroot" option in the rsync config file to limit rsync's access to the filesystem.

Systems Affected

Vendor	Status	Date Notified
Caldera	Vulnerable	14-Sep-2002
Conectiva	Vulnerable	6-Jun-2002
Debian	Vulnerable	6-Jun-2002
Guardian Digital	Vulnerable	16-Sep-2002
Hewlett-Packard Company	Vulnerable	6-Jun-2002
IBM-zSeries	Unknown	6-Jun-2002
MandrakeSoft	Vulnerable	6-Jun-2002
Sequent	Unknown	6-Jun-2002

References

Credit

Thanks to Conectiva for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

Date Public:	2002-01-25
Date First Published:	2002-09-16
Date Last Updated:	2002-09-16
CERT Advisory:
CVE-ID(s):	CAN-2002-0048
NVD-ID(s):	CAN-2002-0048
US-CERT Technical Alerts:
Severity Metric:	15.26
Document Revision:	10

If you have feedback, comments, or additional information about this vulnerability, please send us email.