Heap-based buffer overflow in rsync before 2.5.7, when running in server mode, allows remote attackers to execute arbitrary code and possibly escape the chroot jail.

When rsync is run in server mode, a buffer overflow could allow a remote attacker to execute arbitrary code with the privileges of the rsync server. Anonymous rsync servers are at the highest risk.

The rsync team has received evidence that a vulnerability in all versions of rsync prior to 2.5.7, a fast remote file copy program, was recently used in combination with a Linux kernel vulnerability to compromise the security of a public rsync server.

While this heap overflow vulnerability could not be used by itself to obtain root access on an rsync server, it could be used in combination with the recently announced do_brk() vulnerability in the Linux kernel to produce a full remote compromise.

Please note that this vulnerability only affects the use of rsync as an 'rsync server'. To see if you are running a rsync server you should use the command 'netstat -a -n' to see if you are listening on TCP port 873. If you are not listening on TCP port 873 then you are not running an rsync server.

A vulnerability was discovered in all versions of rsync prior to 2.5.7 that was recently used in conjunction with the Linux kernel do_brk() vulnerability to compromise a public rsync server.

This heap overflow vulnerability, by itself, cannot yield root access, however it does allow arbitrary code execution on the host running rsync as a server. Also note that this only affects hosts running rsync in server mode (listening on port 873, typically under xinetd).

The remote host is missing the patch for the advisory SuSE-SA:2003:050 (rsync).


The rsync suite provides client and server tools to easily support an administrator keeping the files of different machines in sync.
In most private networks the rsync client tool is used via SSH to fulfill his tasks. In an open environment rsync is run in server mode accepting connections from many untrusted hosts with, but mostly without, authentication.
The rsync server drops its root privileges soon after it was started and per default creates a chroot environment.
Due to insufficient integer/bounds checking in the server code a heap overflow can be triggered remotely to execute arbitrary code. This code does not get executed as root and access is limited to the chroot environment. The chroot environment maybe broken afterwards by abusing further holes in system software or holes in the chroot setup.

Your are not vulnerable as long as you do not use rsync in server mode or you use authentication to access the rsync server.

As a temporary workaround you can disable access to your rsync server for untrusted parties, enable authentication or switch back to rsync via SSH.

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.

A heap overflow bug exists in rsync versions prior to 2.5.7. On machines where the rsync server has been enabled, a remote attacker could use this flaw to execute arbitrary code as an unprivileged user.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0962 to this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is missing Security Update 2003-12-19.

This security update includes the following components :

 - AFP Server
 - cd9600.util
 - Directory Services
 - fetchmail
 - fs_usage
 - rsync
 - System Initialization

For MacOS X 10.3, it also includes :

 - ASN.1 Decoding for PKI

This update contains various fixes which may allow an attacker to execute arbitrary code on the remote host.

Updated rsync packages are now available that fix a heap overflow in the Rsync server.

rsync is a program for sychronizing files over the network.

A heap overflow bug exists in rsync versions prior to 2.5.7. On machines where the rsync server has been enabled, a remote attacker could use this flaw to execute arbitrary code as an unprivileged user.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0962 to this issue.

All users should upgrade to these erratum packages containing version 2.5.7 of rsync, which is not vulnerable to this issue.

NOTE: The rsync server is disabled (off) by default in Red Hat Enterprise Linux. To check if the rsync server has been enabled (on), run the following command :

/sbin/chkconfig --list rsync

If the rsync server has been enabled but is not required, it can be disabled by running the following command as root :

/sbin/chkconfig rsync off

Red Hat would like to thank the rsync team for their rapid response and quick fix for this issue.

The remote rsync server is affected by a heap buffer overflow condition when running in server mode. An attacker can exploit this issue to gain a shell on the host and execute arbitrary code.

Note that since rsync does not advertise its version number and since there are few details about this flaw at this time, this might be a false positive.

ID	Name	Product	Family	Severity
36807	FreeBSD : rsync buffer overflow in server mode (5729b8ed-5d75-11d8-80e3-0020ed76ef5a)	Nessus	FreeBSD Local Security Checks	high
15241	Debian DSA-404-1 : rsync - heap overflow	Nessus	Debian Local Security Checks	high
14093	Mandrake Linux Security Advisory : rsync (MDKSA-2003:111)	Nessus	Mandriva Local Security Checks	high
13818	SuSE-SA:2003:050: rsync	Nessus	SuSE Local Security Checks	high
13666	Fedora Core 1 : rsync-2.5.7-2 (2003-030)	Nessus	Fedora Local Security Checks	high
12516	Mac OS X Multiple Vulnerabilities (Security Update 2003-12-19)	Nessus	MacOS X Local Security Checks	critical
12440	RHEL 2.1 / 3 : rsync (RHSA-2003:399)	Nessus	Red Hat Local Security Checks	high
11943	rsync < 2.5.7 Unspecified Remote Heap Overflow	Nessus	Gain a shell remotely	high

Detections

Analytics

CVE-2003-0962

critical

Tenable Plugins

high

high

high

high

high

critical

high

high