rsync prior 2.6.3 path sanitation vulnerability.plugin

来自「全面网络扫描器VB源代码 很实用」· PLUGIN 代码 · 共 49 行

<plugin_id>99</plugin_id>
<plugin_name>rsync prior 2.6.3 path sanitation vulnerability</plugin_name>
<plugin_family>Misc</plugin_family>
<plugin_created_date>2004/08/17</plugin_created_date>
<plugin_created_name>Marc Ruef</plugin_created_name>
<plugin_created_email>marc dot ruef at computec dot ch</plugin_created_email>
<plugin_created_web>http://www.computec.ch</plugin_created_web>
<plugin_created_company>computec.ch</plugin_created_company>
<plugin_updated_name>Marc Ruef</plugin_updated_name>
<plugin_updated_email>marc dot ruef at computec dot ch</plugin_updated_email>
<plugin_updated_web>http://www.computec.ch</plugin_updated_web>
<plugin_updated_company>computec.ch</plugin_updated_company>
<plugin_updated_date>2004/11/13</plugin_updated_date>
<plugin_version>1.2</plugin_version>
<plugin_changelog>Corrected the plugin structure and added the accuracy values in 1.2</plugin_changelog>
<plugin_protocol>tcp</plugin_protocol>
<plugin_port>873</plugin_port>
<plugin_procedure_detection>open|sleep|close|pattern_exists *@RSYNCD:*[0-2]*</plugin_procedure_detection>
<plugin_detection_accuracy>90</plugin_detection_accuracy>
<plugin_comment>Check is copied from the Nessus plugin (see Nessus ID listed in the sources). SuSE has its own advisory for this bug at http://www.suse.de/security/2004_26_rsync.html (Nessus ID 14276).</plugin_comment>
<bug_published_web>http://rsync.samba.org</bug_published_web>
<bug_published_company>rsync Team</bug_published_company>
<bug_published_date>2004/08/12</bug_published_date>
<bug_advisory>http://samba.org/rsync/#security_aug04</bug_advisory>
<bug_affected>rsync 2.3.1 bis rsync 2.6.2</bug_affected>
<bug_not_affected>rsync 2.6.3</bug_not_affected>
<bug_vulnerability_class>Weak Authentication</bug_vulnerability_class>
<bug_description>A vulnerability has been reported in rsync, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system. The vulnerability is caused due to an input validation error.  An attacker, exploiting this flaw, would need network access to the rsyncd service as well as the ability to craft a malicious packet which, when interpreted by rsyncd, would give 'read' access to a file outside of the rsync configured directory structure. Successful exploitation requires that the rsync daemon isn't running chrooted. At least one default implementation of rsyncd utilizes chroot by default.</bug_description>
<bug_solution>Upgrade to rsync 2.6.3 or newer. The server should be deactivated or de-installed if not necessary. To make it harder to find the server the daemon could be configured to listen at another port (e.g. 8081). Try to prevent unwanted connection attempts by filtering traffic with firewalling. Alternation of the application banner can confuse an attacker and let him determine the wrong software.</bug_solution>
<bug_fixing_time>Approx. 2 hours</bug_fixing_time>
<bug_exploit_availability>No</bug_exploit_availability>
<bug_exploit_url>http://www.securityfocus.com/bid/10938/exploit/</bug_exploit_url>
<bug_remote>Yes</bug_remote>
<bug_local>Yes</bug_local>
<bug_severity>Medium</bug_severity>
<bug_popularity>5</bug_popularity>
<bug_simplicity>6</bug_simplicity>
<bug_impact>8</bug_impact>
<bug_risk>6</bug_risk>
<bug_nessus_risk>High</bug_nessus_risk>
<bug_check_tool>Nessus</bug_check_tool>
<source_securityfocus_bid>10938</source_securityfocus_bid>
<source_secunia_id>12294</source_secunia_id>
<source_heise_security>50061</source_heise_security>
<source_nessus_id>14277</source_nessus_id>
<source_literature>Hacking Exposed: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray and George Kurtz, February 25, 2003, 4th Edition, McGraw-Hill Osborne Media, ISBN 0072227427</source_literature>
<source_misc>http://www.securityfocus.com/advisories/7071</source_misc>