RSYNC weak spots enable hackers to take full control over server – POC published

A number of critical security gaps in the widespread tool for synchronization of RSYNC files were discovered, which exposes millions of servers of potential takeover by anonymous attackers.

The errors discovered in the RSYNC version 3.2.7 and earlier enables the execution of remote code, sensitive data leaks and manipulation of the file system over five different attack vectors as in a report by Github.

Proof of the concept

CVE-2024-12084: overflow of the HEAP buffer when checking the test sum (CVSS 9.8)

The most critical susceptibility to security is how RSYNC daemons treat file reviews during synchronization.

The attackers can trigger a HEAP buffer overflow by sending malicious test mumbling data that exceed the assigned 16-byte buffer (sum2 array).

The overflow occurs because the protocol accepts the S2Length values ​​up to 64 bytes (for SHA-512 digestion) without proper validation:

struct sum_buf {

    char sum2[SUM_LENGTH];  // 16-byte buffer

};

// Attacker-controlled parameter

sum->s2length = read_int(f);

read_buf(f, s->sums[i].sum2, s->s2length); // Overflow when s2length>16

This enables the overwriting of 48 bytes neighboring HEAP storage, which falsifies critical data structures.

In combination with CVE-2024-12085 (ASLR-Bypass), attackers in Debian 12 and Ubuntu systems receive a reliable remote code version that run standard RSYNC configurations.

Proof-of-Concept Exploits demonstrate complete server compromises through manufactured synchronization requirements.

CVE-2024-12085: Uninitialized fortaber databases (CVSS 7.5)

The check -ups comparison logic runs not initialized stacking stores through time channels. During the file chunk check:

char sum2[MAX_DIGEST_LEN]; // Uninitialized stack buffer

get_checksum2(map, l, sum2); // Writes 8 bytes (xxhash64)

// Compare s->s2length bytes (attacker-controlled)

if (memcmp(sum2, s->sums[i].sum2, s->s2length) != 0)

Attachers set s2length = 9 so that 1 unknown byte is compared per request and gradually stack canaries and code pointers appear.

This enables a precise ASLR bypass that is required for CVE-2024-12084 Exploitation1.

CVE-2024-12086: Client file exfiltration (CVSS 8.6)

Böslike server can initiate any client files by scouts in the XNAME parameter. The susceptibility to security is based on improper adjustment if server send file comparison requirements:

if (iflags & ITEM_XNAME_FOLLOWS) {

    read_vstring(f_in, buf, MAXPATHLEN); // Server-controlled path

}

fd1 = do_open(fnamecmp, O_RDONLY, 0); // Opens client-side file

Server use checksums defect adjustments to determine the content of brute force files from byte-byte, which enables theft of SSH keys, configuration files and other sensitive data.

CVE-2024-12087: Symlink Directory Escape (CVSS 8.1)

Attackers use the racial conditions in the caching directory to avoid protecting the symbolic connection. By sending:

./malicious-dir (directory)

./malicious-dir/target-file

./malicious-dir (symlink to /etc)

RSYNC clients follow the newly defined Symlink and write target file to /etc instead of the sync directory. This enables the damage to the escalation and system file damage.

CVE-2024-12088: –Safe-left-bypass (CVSS 6.5)

The safety function with which Symlink attacks are supposed to prevent is not taken into account nested links:

{DESTINATION}/a -> .

{DESTINATION}/exploit -> a/a/a/../../../etc

The validation logic calculates the scout depth as 4 (A/A/A/..), while the actual resolution escapes to/etc. This also remains with the active links.

All RSYNC users have to upgrade or apply provider patches immediately to version 3.2.8. Administrators should:

1. If possible, deactivate access to the anonymous RSYNC -DAEMON
2. Audit synchronization protocols for unexpected test sums
3. Only limit the customer RSYNC to trustworthy servers

Debian and Ubuntu have published emergency tactualizations (DSA-5432-1, USN-6670-1). The weaknesses underline the risks that Legacy synchronization protocols and the importance of memory-proof implementations are inherent.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free