Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <adf7f4c9-f388-a882-562a-f2b424f16a09@prodaft.com>
Date: Tue, 2 Aug 2022 11:53:25 +0300
From: EGE BALCI <ege@...daft.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-29154: Rsync client-side arbitrary file write vulnerability.

Date reported           : July 25, 2022
CVE identifiers         : CVE-2022-29154.
------------------------------------------------------------------------
Rsync client-side arbitrary file write vulnerability. (CVE-2022-29154)
------------------------------------------------------------------------

 >>>> We have discovered a critical arbitrary file write vulnerability 
in the
 >>>> rsync utility that allows malicious remote servers to write arbitrary
 >>>> files inside the directories of connecting peers. The server chooses
 >>>> which files/directories are sent to the client. Due to the 
insufficient
 >>>> controls inside the
 >>>> [do_server_recv](
 >>> 
https://github.com/WayneD/rsync/blob/85c56b2603d97c225889175797ffff6745a4d305/main.c#L1118
 >>> )
 >>>> function, a malicious rysnc server (or Man-in-The-Middle attacker) can
 >>>> overwrite arbitrary files in the rsync client target directory and
 >>>> subdirectories. An attacker abusing this vulnerability can overwrite
 >>>> critical files under the target rsync directory and subdirectories 
(for
 >>>> example, to overwrite the .ssh/authorized_keys file). This issue 
is very
 >>>> similar with the
 >>>> [CVE-2019-6111](https://www.youtube.com/watch?v=fcesKgfSPq4).
 >>>>
 >>>> Best regards, Ege BALCI, Taha HAMAD.

The vulnerability was addressed with the developer of the rsync project 
and necessary patches are made. Related commit and details can be found 
in the following links,
- https://download.samba.org/pub/rsync/NEWS
- https://download.samba.org/pub/rsync/rsync.1#MULTI-HOST_SECURITY
- 
https://github.com/WayneD/rsync/commit/b7231c7d02cfb65d291af74ff66e7d8c507ee871

We recommend updating to the latest stable versions of rsync.

-- 
*Ege BALCI*
Threat Intelligence Team Lead

*PRODAFT Cyber Security Technologies INC.*
*CH:* Y-Parc, rue Galilée 7, 1400 Yverdon-les-Bains, Switzerland
*NL:* Wilhelmina van Pruisenweg 104, 2595 AN Den Haag, Netherlands
*E.:*ege[at]prodaft.com
*IN:*/egebalci

In case you think you’re not the designated recipient of the e-mail 
hereby; please delete it accordingly. *This e-mail may have been sent 
from a mobile device. Please contact me from my mobile, in case you 
notice an error in the content. PS. Feel free to contact me via Signal, 
Threema or Telegram; or ask for my public PGP key for high-profile cases 
that may require higher confidentiality.

Content of type "text/html" skipped

Download attachment "OpenPGP_0xCDCA0F4B4445AA39.asc" of type "application/pgp-keys" (649 bytes)

Download attachment "OpenPGP_signature" of type "application/pgp-signature" (237 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.