Vulnerabilities > CVE-2002-0048 - Remote Code Execution vulnerability in rsync Signed Array Index
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 14 |
Exploit-Db
description rsync 2.3/2.4/2.5 Signed Array Index Remote Code Execution Vulnerability. CVE-2002-0048. Remote exploit for linux platform id EDB-ID:21242 last seen 2016-02-02 modified 2002-01-25 published 2002-01-25 reporter sorbo source https://www.exploit-db.com/download/21242/ title rsync 2.3/2.4/2.5 Signed Array Index Remote Code Execution Vulnerability description rsync <= 2.5.1 Remote Exploit. CVE-2002-0048. Remote exploit for linux platform id EDB-ID:398 last seen 2016-01-31 modified 2002-01-01 published 2002-01-01 reporter Teso source https://www.exploit-db.com/download/398/ title rsync <= 2.5.1 - Remote Exploit description rsync <= 2.5.1 Remote Exploit (2). CVE-2002-0048. Remote exploit for linux platform id EDB-ID:399 last seen 2016-01-31 modified 2002-01-01 published 2002-01-01 reporter Teso source https://www.exploit-db.com/download/399/ title rsync <= 2.5.1 - Remote Exploit 2
Nessus
NASL family Gain a shell remotely NASL id RSYNC_ARRAY_OVERFLOW.NASL description The remote rsync server is affected by multiple signedness errors in the I/O functions. An unauthenticated, remote attacker can exploit these to cause a denial of service or execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 11390 published 2003-03-14 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11390 title rsync I/O Functions Multiple Signedness Errors RCE code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11390); script_version ("1.18"); script_cvs_date("Date: 2018/07/27 18:38:14"); script_cve_id("CVE-2002-0048"); script_bugtraq_id(3958); script_xref(name:"EDB-ID", value:"398"); script_xref(name:"EDB-ID", value:"399"); script_xref(name:"EDB-ID", value:"21242"); script_xref(name:"CERT", value:"800635"); script_name(english:"rsync I/O Functions Multiple Signedness Errors RCE"); script_summary(english:"Determines if the remote rsync is buggy."); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be run on the remote server."); script_set_attribute(attribute:"description", value: "The remote rsync server is affected by multiple signedness errors in the I/O functions. An unauthenticated, remote attacker can exploit these to cause a denial of service or execute arbitrary code."); script_set_attribute(attribute:"solution", value: "Upgrade to rsync version 2.5.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/01/25"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_dependencies("find_service1.nasl"); script_require_ports("Services/rsyncd", 873); exit(0); } include("global_settings.inc"); function rsync_init(port, motd) { local_var soc, r, q, i; soc = open_sock_tcp(port); if(!soc)return NULL; r = recv_line(socket:soc, length:4096); if(motd) q = recv(socket:soc,length:strlen(motd), min:strlen(motd)); send(socket:soc, data:r); return soc; } port = get_kb_item("Services/rsyncd"); if(!port)port = 873; if(!get_port_state(port))exit(0); soc = open_sock_tcp(port); if(!soc)exit(0); welcome = recv_line(socket:soc, length:4096); if(!welcome)exit(0); if(!ereg(pattern:"@RSYNCD: (1[0-9]|2[0-5])[^0-9]", string:welcome)) exit(0); send(socket:soc, data:string("@BOGUS\n")); motd = NULL; for(i=0;i<255;i++) { r = recv_line(socket:soc, length:4096); if(!r || "@ERROR" >< r)break; else motd += r; } close(soc); soc = rsync_init(port:port, motd:motd); send(socket:soc, data:string("#list\r\n")); modules = make_list(); for(i=0;i<1024;i++) { module = recv_line(socket:soc, length:4096); if(!module)break; if("@RSYNC" >< module) break; mod = split(module, sep:" "); modules = make_list(modules, mod[0] - " "); } close(soc); foreach module (modules) { soc = rsync_init(port:port, motd:motd); if(soc != NULL) { send(socket:soc, data:string(module, "\n")); r = recv_line(socket:soc, length:4096); if("@RSYNCD: OK" >< r) { send(socket:soc, data:string("--server\n--sender\n\n")); r = recv(socket:soc, length:4); send(socket:soc, data:raw_string(0xFF,0xFF,0xFF,0xFF)); send(socket:soc, data:string("\n\n\n\n")); r = recv_line(socket:soc, length:4096); if(r)security_hole(port); exit(0); } else close(soc); } } # # Could not test anything... # if (report_paranoia > 0 && ereg(pattern:"@RSYNCD: (1[0-9]|2[0-5])[^0-9]", string:welcome)) security_hole(port:port, extra: "Nessus could not verify this flaw as no module could be retrieved, so this might be a false positive.");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-106.NASL description Sebastian Krahmer found several places in rsync (a popular tool to synchronise files between machines) where signed and unsigned numbers were mixed which resulted in insecure code (see securityfocus.com). This could be abused by remote users to write 0-bytes in rsync last seen 2020-06-01 modified 2020-06-02 plugin id 14943 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14943 title Debian DSA-106-2 : rsync - remote exploit code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-106. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14943); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2002-0048"); script_xref(name:"DSA", value:"106"); script_name(english:"Debian DSA-106-2 : rsync - remote exploit"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Sebastian Krahmer found several places in rsync (a popular tool to synchronise files between machines) where signed and unsigned numbers were mixed which resulted in insecure code (see securityfocus.com). This could be abused by remote users to write 0-bytes in rsync's memory and trick rsync into executing arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://rsync.samba.org/" ); script_set_attribute( attribute:"see_also", value:"http://online.securityfocus.com/bid/3958" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-106" ); script_set_attribute( attribute:"solution", value: "This has been fixed in version 2.3.2-1.3 and we recommend you upgrade your rsync package immediately. Unfortunately the patch used to fix that problem broke rsync. This has been fixed in version 2.3.2-1.5 and we recommend you upgrade to that version immediately." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rsync"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2002/01/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/01/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"rsync", reference:"2.3.2-1.5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2002-009.NASL description Sebastian Krahmer of the SuSE Security Team performed an audit on the rsync tool and discovered that in several places signed and unsigned numbers were mixed, with the end result being insecure code. These flaws could be abused by remote users to write 0 bytes into rsync last seen 2020-06-01 modified 2020-06-02 plugin id 13917 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13917 title Mandrake Linux Security Advisory : rsync (MDKSA-2002:009)
Redhat
| advisories |
|
References
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:10.rsync.asc
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000458
- http://lists.suse.com/archives/suse-security-announce/2002-Jan/0003.html
- http://marc.info/?l=bugtraq&m=101223214906963&w=2
- http://marc.info/?l=bugtraq&m=101223603321315&w=2
- http://online.securityfocus.com/advisories/3839
- http://www.caldera.com/support/security/advisories/CSSA-2002-003.0.txt
- http://www.debian.org/security/2002/dsa-106
- http://www.iss.net/security_center/static/7993.php
- http://www.kb.cert.org/vuls/id/800635
- http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-009.php
- http://www.linuxsecurity.com/advisories/other_advisory-1853.html
- http://www.redhat.com/support/errata/RHSA-2002-018.html
- http://www.securityfocus.com/bid/3958