ID CVE-2003-0962
Summary Heap-based buffer overflow in rsync before 2.5.7, when running in server mode, allows remote attackers to execute arbitrary code and possibly escape the chroot jail.
References
Vulnerable Configurations
  • cpe:2.3:a:andrew_tridgell:rsync:2.3.1
    cpe:2.3:a:andrew_tridgell:rsync:2.3.1
  • cpe:2.3:a:andrew_tridgell:rsync:2.3.2
    cpe:2.3:a:andrew_tridgell:rsync:2.3.2
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.0
    cpe:2.3:a:andrew_tridgell:rsync:2.4.0
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.1
    cpe:2.3:a:andrew_tridgell:rsync:2.4.1
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.3
    cpe:2.3:a:andrew_tridgell:rsync:2.4.3
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.4
    cpe:2.3:a:andrew_tridgell:rsync:2.4.4
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.5
    cpe:2.3:a:andrew_tridgell:rsync:2.4.5
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.6
    cpe:2.3:a:andrew_tridgell:rsync:2.4.6
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.8
    cpe:2.3:a:andrew_tridgell:rsync:2.4.8
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.0
    cpe:2.3:a:andrew_tridgell:rsync:2.5.0
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.1
    cpe:2.3:a:andrew_tridgell:rsync:2.5.1
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.2
    cpe:2.3:a:andrew_tridgell:rsync:2.5.2
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.3
    cpe:2.3:a:andrew_tridgell:rsync:2.5.3
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.4
    cpe:2.3:a:andrew_tridgell:rsync:2.5.4
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.5
    cpe:2.3:a:andrew_tridgell:rsync:2.5.5
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.6
    cpe:2.3:a:andrew_tridgell:rsync:2.5.6
  • cpe:2.3:a:redhat:rsync:2.4.6-2:-:i386
    cpe:2.3:a:redhat:rsync:2.4.6-2:-:i386
  • cpe:2.3:a:redhat:rsync:2.4.6-5:-:i386
    cpe:2.3:a:redhat:rsync:2.4.6-5:-:i386
  • cpe:2.3:a:redhat:rsync:2.4.6-5:-:ia64
    cpe:2.3:a:redhat:rsync:2.4.6-5:-:ia64
  • cpe:2.3:a:redhat:rsync:2.5.4-2:-:i386
    cpe:2.3:a:redhat:rsync:2.5.4-2:-:i386
  • cpe:2.3:a:redhat:rsync:2.5.5-1:-:i386
    cpe:2.3:a:redhat:rsync:2.5.5-1:-:i386
  • cpe:2.3:a:redhat:rsync:2.5.5-4:-:i386
    cpe:2.3:a:redhat:rsync:2.5.5-4:-:i386
  • Engarde Secure Community 1.0.1
    cpe:2.3:o:engardelinux:secure_community:1.0.1
  • Engarde Secure Community 2.0
    cpe:2.3:o:engardelinux:secure_community:2.0
  • cpe:2.3:o:engardelinux:secure_linux:1.1:-:professional
    cpe:2.3:o:engardelinux:secure_linux:1.1:-:professional
  • cpe:2.3:o:engardelinux:secure_linux:1.2:-:professional
    cpe:2.3:o:engardelinux:secure_linux:1.2:-:professional
  • cpe:2.3:o:engardelinux:secure_linux:1.5:-:professional
    cpe:2.3:o:engardelinux:secure_linux:1.5:-:professional
  • Slackware Linux 8.1
    cpe:2.3:o:slackware:slackware_linux:8.1
  • Slackware Linux 9.0
    cpe:2.3:o:slackware:slackware_linux:9.0
  • Slackware Linux 9.1
    cpe:2.3:o:slackware:slackware_linux:9.1
  • cpe:2.3:o:slackware:slackware_linux:current
    cpe:2.3:o:slackware:slackware_linux:current
CVSS
Base: 7.5 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_RSYNC_257.NASL
    description The following package needs to be updated: rsync
    last seen 2016-09-26
    modified 2011-10-03
    plugin id 12609
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12609
    title FreeBSD : rsync buffer overflow in server mode (167)
  • NASL family Gain a shell remotely
    NASL id RSYNC_HEAP_OVERFLOW.NASL
    description The remote rsync server is affected by a heap buffer overflow condition when running in server mode. An attacker can exploit this issue to gain a shell on the host and execute arbitrary code. Note that since rsync does not advertise its version number and since there are few details about this flaw at this time, this might be a false positive.
    last seen 2019-02-21
    modified 2018-07-27
    plugin id 11943
    published 2003-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11943
    title rsync < 2.5.7 Unspecified Remote Heap Overflow
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-404.NASL
    description The rsync team has received evidence that a vulnerability in all versions of rsync prior to 2.5.7, a fast remote file copy program, was recently used in combination with a Linux kernel vulnerability to compromise the security of a public rsync server. While this heap overflow vulnerability could not be used by itself to obtain root access on an rsync server, it could be used in combination with the recently announced do_brk() vulnerability in the Linux kernel to produce a full remote compromise. Please note that this vulnerability only affects the use of rsync as an 'rsync server'. To see if you are running a rsync server you should use the command 'netstat -a -n' to see if you are listening on TCP port 873. If you are not listening on TCP port 873 then you are not running an rsync server.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15241
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15241
    title Debian DSA-404-1 : rsync - heap overflow
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SA_2003_050.NASL
    description The remote host is missing the patch for the advisory SuSE-SA:2003:050 (rsync). The rsync suite provides client and server tools to easily support an administrator keeping the files of different machines in sync. In most private networks the rsync client tool is used via SSH to fulfill his tasks. In an open environment rsync is run in server mode accepting connections from many untrusted hosts with, but mostly without, authentication. The rsync server drops its root privileges soon after it was started and per default creates a chroot environment. Due to insufficient integer/bounds checking in the server code a heap overflow can be triggered remotely to execute arbitrary code. This code does not get executed as root and access is limited to the chroot environment. The chroot environment maybe broken afterwards by abusing further holes in system software or holes in the chroot setup. Your are not vulnerable as long as you do not use rsync in server mode or you use authentication to access the rsync server. As a temporary workaround you can disable access to your rsync server for untrusted parties, enable authentication or switch back to rsync via SSH. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.
    last seen 2019-02-21
    modified 2011-11-03
    plugin id 13818
    published 2004-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13818
    title SuSE-SA:2003:050: rsync
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2003-399.NASL
    description Updated rsync packages are now available that fix a heap overflow in the Rsync server. rsync is a program for sychronizing files over the network. A heap overflow bug exists in rsync versions prior to 2.5.7. On machines where the rsync server has been enabled, a remote attacker could use this flaw to execute arbitrary code as an unprivileged user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0962 to this issue. All users should upgrade to these erratum packages containing version 2.5.7 of rsync, which is not vulnerable to this issue. NOTE: The rsync server is disabled (off) by default in Red Hat Enterprise Linux. To check if the rsync server has been enabled (on), run the following command : /sbin/chkconfig --list rsync If the rsync server has been enabled but is not required, it can be disabled by running the following command as root : /sbin/chkconfig rsync off Red Hat would like to thank the rsync team for their rapid response and quick fix for this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12440
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12440
    title RHEL 2.1 / 3 : rsync (RHSA-2003:399)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_5729B8ED5D7511D880E30020ED76EF5A.NASL
    description When rsync is run in server mode, a buffer overflow could allow a remote attacker to execute arbitrary code with the privileges of the rsync server. Anonymous rsync servers are at the highest risk.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 36807
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36807
    title FreeBSD : rsync buffer overflow in server mode (5729b8ed-5d75-11d8-80e3-0020ed76ef5a)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2003-111.NASL
    description A vulnerability was discovered in all versions of rsync prior to 2.5.7 that was recently used in conjunction with the Linux kernel do_brk() vulnerability to compromise a public rsync server. This heap overflow vulnerability, by itself, cannot yield root access, however it does allow arbitrary code execution on the host running rsync as a server. Also note that this only affects hosts running rsync in server mode (listening on port 873, typically under xinetd).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14093
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14093
    title Mandrake Linux Security Advisory : rsync (MDKSA-2003:111)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD20031219.NASL
    description The remote host is missing Security Update 2003-12-19. This security update includes the following components : - AFP Server - cd9600.util - Directory Services - fetchmail - fs_usage - rsync - System Initialization For MacOS X 10.3, it also includes : - ASN.1 Decoding for PKI This update contains various fixes which may allow an attacker to execute arbitrary code on the remote host.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 12516
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12516
    title Mac OS X Multiple Vulnerabilities (Security Update 2003-12-19)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2003-030.NASL
    description A heap overflow bug exists in rsync versions prior to 2.5.7. On machines where the rsync server has been enabled, a remote attacker could use this flaw to execute arbitrary code as an unprivileged user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0962 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 13666
    published 2004-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13666
    title Fedora Core 1 : rsync-2.5.7-2 (2003-030)
oval via4
accepted 2013-04-29T04:19:16.743-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
description Heap-based buffer overflow in rsync before 2.5.7, when running in server mode, allows remote attackers to execute arbitrary code and possibly escape the chroot jail.
family unix
id oval:org.mitre.oval:def:9415
status accepted
submitted 2010-07-09T03:56:16-04:00
title Heap-based buffer overflow in rsync before 2.5.7, when running in server mode, allows remote attackers to execute arbitrary code and possibly escape the chroot jail.
version 24
redhat via4
advisories
rhsa
id RHSA-2003:398
refmap via4
bid 9153
bugtraq
  • 20031204 GLSA: exploitable heap overflow in rsync (200312-03)
  • 20031204 [OpenPKG-SA-2003.051] OpenPKG Security Advisory (rsync)
  • 20031204 rsync security advisory (fwd)
cert-vn VU#325603
conectiva CLA-2003:794
debian DSA-404
engarde ESA-20031204-032
immunix IMNX-2003-73-001-01
mandrake MDKSA-2003:111
osvdb 2898
secunia
  • 10353
  • 10354
  • 10355
  • 10356
  • 10357
  • 10358
  • 10359
  • 10360
  • 10361
  • 10362
  • 10363
  • 10364
  • 10378
  • 10474
sgi 20031202-01-U
suse SuSE-SA:2003:050
trustix 2003-0048
xf linux-rsync-heap-overflow(13899)
Last major update 17-10-2016 - 22:38
Published 15-12-2003 - 00:00
Last modified 02-05-2018 - 21:29
Back to Top