rsync sanitize_path() Function Arbitrary File Disclosure

medium Nessus Plugin ID 14223

Synopsis

Arbitrary files can be accessed from the remote host.

Description

An information disclosure vulnerability exists in rsync due to improper validation of user-supplied input to the sanitize_path() function. An unauthenticated, remote attacker can exploit this, via a specially crafted path, to generated an absolute filename in place of a relative filename, resulting the disclosure of arbitrary files.
However, successful exploitation requires that the rsync daemon is not running chrooted.

Note that since rsync does not advertise its version number and since there are few details about this flaw at this time, this might be a false positive.

Solution

Upgrade to rsync version 2.6.3 or later.

Plugin Details

Severity: Medium

ID: 14223

File Name: rsync_path_sanitation_vuln.nasl

Version: 1.23

Type: remote

Published: 8/16/2004

Updated: 7/27/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

Required KB Items: Settings/ParanoidReport

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 8/13/2004

Reference Information

CVE: CVE-2004-0792

BID: 10938