Nessus Plugin #14543

Plugin Index

Note: This file has been created from a downloaded version of the Nessus Plugins from http://www.nessus.org/. Therefore, the information here can be outdated.

[GLSA-200407-10] rsync: Directory traversal in rsync daemon

Family:

Gentoo Local Security Checks

Category:

infos

Copyright:

(C) 2004 Michel Arboi

Summary:

rsync: Directory traversal in rsync daemon

Version:

$Revision: 1.1 $

Cve_id:

-

Bugtraq_id:

-

Xrefs:

GLSA:200407-10

Description:

The remote host is affected by the vulnerability described in GLSA-200407-10
(rsync: Directory traversal in rsync daemon)


When rsyncd is used without chroot ("use chroot = false" in the rsyncd.conf
file), the paths sent by the client are not checked thoroughly enough. If
rsyncd is used with read-write permissions ("read only = false"), this
vulnerability can be used to write files anywhere with the rights of the
rsyncd daemon. With default Gentoo installations, rsyncd runs in a chroot,
without write permissions and with the rights of the "nobody" user.

Impact

On affected configurations and if the rsync daemon runs under a privileged
user, a remote client can exploit this vulnerability to completely
compromise the host.

Workaround

You should never set the rsync daemon to run with "use chroot = false". If
for some reason you have to run rsyncd without a chroot, then you should
not set "read only = false".

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426


Solution:
All users should update to the latest version of the rsync package.
# emerge sync
# emerge -pv ">=net-misc/rsync-2.6.0-r2"
# emerge ">=net-misc/rsync-2.6.0-r2"


Risk Factor : Medium