Vulnerabilities > CVE-2007-6199 - Configuration vulnerability in Rsync
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-011.NASL description rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module last seen 2020-06-01 modified 2020-06-02 plugin id 36432 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36432 title Mandriva Linux Security Advisory : rsync (MDVSA-2008:011) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2008:011. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(36432); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:50"); script_cve_id("CVE-2007-6199", "CVE-2007-6200"); script_xref(name:"MDVSA", value:"2008:011"); script_name(english:"Mandriva Linux Security Advisory : rsync (MDVSA-2008:011)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandriva Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy. (CVE-2007-6199) Unspecified vulnerability in rsync before 3.0.0pre6, when running a writable rsync daemon, allows remote attackers to bypass exclude, exclude_from, and filter and read or write hidden files via (1) symlink, (2) partial-dir, (3) backup-dir, and unspecified (4) dest options. (CVE-2007-6200) This update fixes these issues. It is recommended users (specially system and network administrators) read the manpage about the introduced munge symlinks feature. This update also upgrades rsync to version 2.6.9 for all Mandriva Linux versions earlier than 2008.0." ); script_set_attribute( attribute:"see_also", value:"http://rsync.samba.org/security.html#s3_0_0" ); script_set_attribute(attribute:"solution", value:"Update the affected rsync package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(16, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rsync"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/01/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.0", reference:"rsync-2.6.9-0.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"rsync-2.6.9-1.2mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"rsync-2.6.9-5.1mdv2008.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE9_12038.NASL description This update fixes a bug in rsync that allowed remote attackers to access restricted files outside a module last seen 2020-06-01 modified 2020-06-02 plugin id 41181 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41181 title SuSE9 Security Update : rsync (YOU Patch Number 12038) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(41181); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:29"); script_cve_id("CVE-2007-6199", "CVE-2007-6200"); script_name(english:"SuSE9 Security Update : rsync (YOU Patch Number 12038)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This update fixes a bug in rsync that allowed remote attackers to access restricted files outside a module's hierarchy if no chroot setup was used. (CVE-2007-6199) Please read http://rsync.samba.org/security.html entry from November 28th, 2007 to get more information about a secure configuration of rsync that also covers the bug tracked with CVE-2007-6200. This update also fixes some crashes that only affect rsync-2.6.8 on SLES10. This is a reissue of another post-SP4 rsync update." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-6199.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-6200.html" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12038."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(16, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/12/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", reference:"rsync-2.6.8-53.7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_RSYNC-4798.NASL description This update fixes a bug in rsync that allowed remote attackers to access restricted files outside a module last seen 2020-06-01 modified 2020-06-02 plugin id 29790 published 2007-12-24 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29790 title SuSE 10 Security Update : rsync (ZYPP Patch Number 4798) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(29790); script_version ("1.20"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-6199", "CVE-2007-6200"); script_name(english:"SuSE 10 Security Update : rsync (ZYPP Patch Number 4798)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This update fixes a bug in rsync that allowed remote attackers to access restricted files outside a module's hierarchy if no chroot setup was used. (CVE-2007-6199) Please read http://rsync.samba.org/security.html entry from November 28th, 2007 to get more information about a secure configuration of rsync that also covers the bug tracked with CVE-2007-6200. This update also fixes some crashes that only affect rsync-2.6.8 on SLES10." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-6199.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-6200.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 4798."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(16, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/12/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:1, reference:"rsync-2.6.8-36.22")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"rsync-2.6.8-36.22")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2008-005.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-005 applied. This update contains security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 33790 published 2008-08-01 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33790 title Mac OS X Multiple Vulnerabilities (Security Update 2008-005) code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3004) exit(0); include("compat.inc"); if (description) { script_id(33790); script_version("1.25"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id( "CVE-2007-4850", "CVE-2007-5135", "CVE-2007-6199", "CVE-2007-6200", "CVE-2008-0599", "CVE-2008-0674", "CVE-2008-1447", "CVE-2008-2050", "CVE-2008-2051", "CVE-2008-2320", "CVE-2008-2321", "CVE-2008-2322", "CVE-2008-2323", "CVE-2008-2324", "CVE-2008-2325", "CVE-2008-2830", "CVE-2008-2952" ); script_bugtraq_id( 25831, 26638, 26639, 27413, 27786, 29009, 29831, 30013, 30131, 30487, 30488, 30489, 30490, 30492, 30493 ); script_xref(name:"Secunia", value:"31326"); script_xref(name:"IAVA", value:"2008-A-0045"); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2008-005)"); script_summary(english:"Check for the presence of Security Update 2008-005"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-005 applied. This update contains security fixes for a number of programs." ); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT2647" ); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Jul/msg00003.html" ); script_set_attribute(attribute:"solution", value: "Install Security Update 2008-005 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(16, 119, 189, 264, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2008/08/01"); script_set_attribute(attribute:"patch_publication_date", value: "2008/07/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } uname = get_kb_item("Host/uname"); if (!uname) exit(0); if (egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname)) { packages = get_kb_item("Host/MacOSX/packages"); if (!packages) exit(0); if (!egrep(pattern:"^SecUpd(Srvr)?(2008-00[5-8]||2009-|20[1-9][0-9]-)", string:packages)) security_hole(0); } else if (egrep(pattern:"Darwin.* (9\.[0-4]\.)", string:uname)) { packages = get_kb_item("Host/MacOSX/packages/boms"); if (!packages) exit(0); if (!egrep(pattern:"^com\.apple\.pkg\.update\.security\.2008\.005\.bom", string:packages)) security_hole(0); }NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL15549.NASL description rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module last seen 2020-06-01 modified 2020-06-02 plugin id 83004 published 2015-04-23 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83004 title F5 Networks BIG-IP : Rsync vulnerability (SOL15549) NASL family SuSE Local Security Checks NASL id SUSE_RSYNC-4793.NASL description This update fixes a bug in rsync that allowed remote attackers to access restricted files outside a module last seen 2020-06-01 modified 2020-06-02 plugin id 29789 published 2007-12-24 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29789 title openSUSE 10 Security Update : rsync (rsync-4793)
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-12-06 |
| organization | Red Hat |
| statement | Red Hat does not consider this to be a security issue. Versions of rsync as shipped with Red Hat Enterprise Linux 2.1, 3, 4 and 5 behave as expected and that behavior was well documented. |
References
- http://lists.apple.com/archives/security-announce//2008/Jul/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2008-01/msg00002.html
- http://rsync.samba.org/security.html#s3_0_0
- http://secunia.com/advisories/27853
- http://secunia.com/advisories/27863
- http://secunia.com/advisories/28412
- http://secunia.com/advisories/28457
- http://secunia.com/advisories/31326
- http://secunia.com/advisories/61005
- http://securitytracker.com/id?1019012
- http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15549.html
- http://wiki.rpath.com/wiki/Advisories:rPSA-2007-0257
- http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:011
- http://www.securityfocus.com/archive/1/487991/100/0/threaded
- http://www.securityfocus.com/bid/26638
- http://www.vupen.com/english/advisories/2007/4057
- http://www.vupen.com/english/advisories/2008/2268