Vulnerabilities > CVE-2002-0048 - Remote Code Execution vulnerability in rsync Signed Array Index

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
andrew-tridgell
critical
nessus
exploit available

Summary

Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server.

Exploit-Db

  • descriptionrsync 2.3/2.4/2.5 Signed Array Index Remote Code Execution Vulnerability. CVE-2002-0048. Remote exploit for linux platform
    idEDB-ID:21242
    last seen2016-02-02
    modified2002-01-25
    published2002-01-25
    reportersorbo
    sourcehttps://www.exploit-db.com/download/21242/
    titlersync 2.3/2.4/2.5 Signed Array Index Remote Code Execution Vulnerability
  • descriptionrsync <= 2.5.1 Remote Exploit. CVE-2002-0048. Remote exploit for linux platform
    idEDB-ID:398
    last seen2016-01-31
    modified2002-01-01
    published2002-01-01
    reporterTeso
    sourcehttps://www.exploit-db.com/download/398/
    titlersync <= 2.5.1 - Remote Exploit
  • descriptionrsync <= 2.5.1 Remote Exploit (2). CVE-2002-0048. Remote exploit for linux platform
    idEDB-ID:399
    last seen2016-01-31
    modified2002-01-01
    published2002-01-01
    reporterTeso
    sourcehttps://www.exploit-db.com/download/399/
    titlersync <= 2.5.1 - Remote Exploit 2

Nessus

  • NASL familyGain a shell remotely
    NASL idRSYNC_ARRAY_OVERFLOW.NASL
    descriptionThe remote rsync server is affected by multiple signedness errors in the I/O functions. An unauthenticated, remote attacker can exploit these to cause a denial of service or execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id11390
    published2003-03-14
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11390
    titlersync I/O Functions Multiple Signedness Errors RCE
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if (description)
    {
     script_id(11390);
     script_version ("1.18");
     script_cvs_date("Date: 2018/07/27 18:38:14");
    
     script_cve_id("CVE-2002-0048");
     script_bugtraq_id(3958);
     script_xref(name:"EDB-ID", value:"398");
     script_xref(name:"EDB-ID", value:"399");
     script_xref(name:"EDB-ID", value:"21242");
     script_xref(name:"CERT", value:"800635");
     
     script_name(english:"rsync I/O Functions Multiple Signedness Errors RCE");
     script_summary(english:"Determines if the remote rsync is buggy.");
    
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be run on the remote server.");
     script_set_attribute(attribute:"description", value:
    "The remote rsync server is affected by multiple signedness errors in
    the I/O functions. An unauthenticated, remote attacker can exploit
    these to cause a denial of service or execute arbitrary code.");
     script_set_attribute(attribute:"solution", value:
    "Upgrade to rsync version 2.5.2 or later.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value: "2002/01/25");
     script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/14");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_family(english:"Gain a shell remotely");
    
     script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
    
     script_dependencies("find_service1.nasl");
     script_require_ports("Services/rsyncd", 873);
     exit(0);
    }
    
    include("global_settings.inc");
    
    function rsync_init(port, motd)
    {
     local_var soc, r, q, i;
      
     soc = open_sock_tcp(port);
     if(!soc)return NULL;
     r = recv_line(socket:soc, length:4096);
     if(motd) q = recv(socket:soc,length:strlen(motd), min:strlen(motd));
     send(socket:soc, data:r);
     return soc;
    }
    
    
    port = get_kb_item("Services/rsyncd");
    if(!port)port = 873;
    if(!get_port_state(port))exit(0);
    
    
    soc = open_sock_tcp(port);
    if(!soc)exit(0);
    
    
    
    welcome = recv_line(socket:soc, length:4096);
    if(!welcome)exit(0);
    if(!ereg(pattern:"@RSYNCD: (1[0-9]|2[0-5])[^0-9]", string:welcome)) exit(0);
    
    send(socket:soc, data:string("@BOGUS\n"));
    motd = NULL;
    
    for(i=0;i<255;i++)
    {
     r = recv_line(socket:soc, length:4096);
     if(!r || "@ERROR" >< r)break;
     else motd += r;
    }
    
    close(soc);
    
    soc = rsync_init(port:port, motd:motd);
    send(socket:soc, data:string("#list\r\n"));
    
    modules = make_list();
    
    for(i=0;i<1024;i++)
    {
     module = recv_line(socket:soc, length:4096);
     if(!module)break;
     if("@RSYNC" >< module) break;
     mod = split(module, sep:" ");
     modules = make_list(modules, mod[0] - " ");
    }
    close(soc);
    
    
    foreach module (modules)
    {
     soc = rsync_init(port:port, motd:motd);
     if(soc != NULL)
     {
     send(socket:soc, data:string(module, "\n"));
     r = recv_line(socket:soc, length:4096);
     if("@RSYNCD: OK" >< r)
     {
      send(socket:soc, data:string("--server\n--sender\n\n"));
      r = recv(socket:soc, length:4);
      send(socket:soc, data:raw_string(0xFF,0xFF,0xFF,0xFF));
      send(socket:soc, data:string("\n\n\n\n"));
      r = recv_line(socket:soc, length:4096);
      if(r)security_hole(port);
      exit(0);
     }
     else close(soc);
     }
    }
    
    #
    # Could not test anything...
    # 
    
    if (report_paranoia > 0 && 
        ereg(pattern:"@RSYNCD: (1[0-9]|2[0-5])[^0-9]", string:welcome))
      security_hole(port:port, extra: 
    "Nessus could not verify this flaw as no module could be retrieved, so 
    this might be a false positive.");
    
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-106.NASL
    descriptionSebastian Krahmer found several places in rsync (a popular tool to synchronise files between machines) where signed and unsigned numbers were mixed which resulted in insecure code (see securityfocus.com). This could be abused by remote users to write 0-bytes in rsync
    last seen2020-06-01
    modified2020-06-02
    plugin id14943
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14943
    titleDebian DSA-106-2 : rsync - remote exploit
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-106. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14943);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:16");
    
      script_cve_id("CVE-2002-0048");
      script_xref(name:"DSA", value:"106");
    
      script_name(english:"Debian DSA-106-2 : rsync - remote exploit");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Sebastian Krahmer found several places in rsync (a popular tool to
     synchronise files between machines) where signed and unsigned numbers
     were mixed which resulted in insecure code (see securityfocus.com).
     This could be abused by remote users to write 0-bytes in rsync's
     memory and trick rsync into executing arbitrary code."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://rsync.samba.org/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://online.securityfocus.com/bid/3958"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-106"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "This has been fixed in version 2.3.2-1.3 and we recommend you upgrade
    your rsync package immediately.
    
    Unfortunately the patch used to fix that problem broke rsync. This has
    been fixed in version 2.3.2-1.5 and we recommend you upgrade to that
    version immediately."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rsync");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/01/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/01/25");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"rsync", reference:"2.3.2-1.5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-009.NASL
    descriptionSebastian Krahmer of the SuSE Security Team performed an audit on the rsync tool and discovered that in several places signed and unsigned numbers were mixed, with the end result being insecure code. These flaws could be abused by remote users to write 0 bytes into rsync
    last seen2020-06-01
    modified2020-06-02
    plugin id13917
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13917
    titleMandrake Linux Security Advisory : rsync (MDKSA-2002:009)

Redhat

advisories
rhsa
idRHSA-2002:018