ID CVE-2004-0792
Summary Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files.
References
Vulnerable Configurations
  • cpe:2.3:a:andrew_tridgell:rsync:2.3.1
    cpe:2.3:a:andrew_tridgell:rsync:2.3.1
  • cpe:2.3:a:andrew_tridgell:rsync:2.3.2
    cpe:2.3:a:andrew_tridgell:rsync:2.3.2
  • cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:alpha
    cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:alpha
  • cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:arm
    cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:arm
  • cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:intel
    cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:intel
  • cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:m68k
    cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:m68k
  • cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:ppc
    cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:ppc
  • cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:sparc
    cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.2:-:sparc
  • cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.3
    cpe:2.3:a:andrew_tridgell:rsync:2.3.2_1.3
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.0
    cpe:2.3:a:andrew_tridgell:rsync:2.4.0
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.1
    cpe:2.3:a:andrew_tridgell:rsync:2.4.1
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.3
    cpe:2.3:a:andrew_tridgell:rsync:2.4.3
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.4
    cpe:2.3:a:andrew_tridgell:rsync:2.4.4
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.5
    cpe:2.3:a:andrew_tridgell:rsync:2.4.5
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.6
    cpe:2.3:a:andrew_tridgell:rsync:2.4.6
  • cpe:2.3:a:andrew_tridgell:rsync:2.4.8
    cpe:2.3:a:andrew_tridgell:rsync:2.4.8
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.0
    cpe:2.3:a:andrew_tridgell:rsync:2.5.0
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.1
    cpe:2.3:a:andrew_tridgell:rsync:2.5.1
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.2
    cpe:2.3:a:andrew_tridgell:rsync:2.5.2
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.3
    cpe:2.3:a:andrew_tridgell:rsync:2.5.3
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.4
    cpe:2.3:a:andrew_tridgell:rsync:2.5.4
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.5
    cpe:2.3:a:andrew_tridgell:rsync:2.5.5
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.6
    cpe:2.3:a:andrew_tridgell:rsync:2.5.6
  • cpe:2.3:a:andrew_tridgell:rsync:2.5.7
    cpe:2.3:a:andrew_tridgell:rsync:2.5.7
  • cpe:2.3:a:andrew_tridgell:rsync:2.6
    cpe:2.3:a:andrew_tridgell:rsync:2.6
  • cpe:2.3:a:andrew_tridgell:rsync:2.6.1
    cpe:2.3:a:andrew_tridgell:rsync:2.6.1
  • cpe:2.3:a:andrew_tridgell:rsync:2.6.2
    cpe:2.3:a:andrew_tridgell:rsync:2.6.2
CVSS
Base: 6.4 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_RSYNC_262_2.NASL
    description The remote host has an old version of rsync installed. There is a flaw in this version of rsync which, due to an input validation error, would allow a remote attacker to gain access to the remote system. An attacker, exploiting this flaw, would need network access to the TCP port. Successful exploitation requires that the rsync daemon is *not* running chroot.
    last seen 2016-09-26
    modified 2011-10-02
    plugin id 14386
    published 2004-08-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14386
    title FreeBSD Ports : rsync < 2.6.2_2
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-538.NASL
    description The rsync developers have discovered a security related problem in rsync, a fast remote file copy program, which offers an attacker to access files outside of the defined directory. To exploit this path-sanitizing bug, rsync has to run in daemon mode with the chroot option being disabled. It does not affect the normal send/receive filenames that specify what files should be transferred. It does affect certain option paths that cause auxiliary files to be read or written.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 15375
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15375
    title Debian DSA-538-1 : rsync - unsanitised input processing
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_2689F4CBEC4C11D89440000347A4FA7D.NASL
    description An rsync security advisory reports : There is a path-sanitizing bug that affects daemon mode in all recent rsync versions (including 2.6.2) but only if chroot is disabled. The bug may allow a remote user to access files outside of an rsync module's configured path with the privileges configured for that module.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 18874
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18874
    title FreeBSD : rsync -- path sanitizing vulnerability (2689f4cb-ec4c-11d8-9440-000347a4fa7d)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2004-285-01.NASL
    description New rsync 2.6.3 packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to a fix security issue when rsync is run as a non-chrooted server.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 18780
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18780
    title Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : rsync (SSA:2004-285-01)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-436.NASL
    description An updated rsync package that fixes a path sanitizing bug is now available. The rsync program synchronizes files over a network. Versions of rsync up to and including version 2.6.2 contain a path sanitization issue. This issue could allow an attacker to read or write files outside of the rsync directory. This vulnerability is only exploitable when an rsync server is enabled and is not running within a chroot. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0792 to this issue. Users of rsync are advised to upgrade to this updated package, which contains a backported patch and is not affected by this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 14623
    published 2004-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14623
    title RHEL 2.1 / 3 : rsync (RHSA-2004:436)
  • NASL family Gain a shell remotely
    NASL id RSYNC_PATH_SANITATION_VULN.NASL
    description An information disclosure vulnerability exists in rsync due to improper validation of user-supplied input to the sanitize_path() function. An unauthenticated, remote attacker can exploit this, via a specially crafted path, to generated an absolute filename in place of a relative filename, resulting the disclosure of arbitrary files. However, successful exploitation requires that the rsync daemon is not running chrooted. Note that since rsync does not advertise its version number and since there are few details about this flaw at this time, this might be a false positive.
    last seen 2019-02-21
    modified 2018-07-27
    plugin id 14223
    published 2004-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14223
    title rsync sanitize_path() Function Arbitrary File Disclosure
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200408-17.NASL
    description The remote host is affected by the vulnerability described in GLSA-200408-17 (rsync: Potential information leakage) The paths sent by the rsync client are not checked thoroughly enough. It does not affect the normal send/receive filenames that specify what files should be transferred. It does affect certain option paths that cause auxiliary files to be read or written. Impact : When rsyncd is used without chroot ('use chroot = false' in the rsyncd.conf file), this vulnerability could allow the listing of arbitrary files outside module's path and allow file overwriting outside module's path on rsync server configurations that allows uploading. Both possibilities are exposed only when chroot option is disabled. Workaround : You should never set the rsync daemon to run with 'use chroot = false'.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 14573
    published 2004-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14573
    title GLSA-200408-17 : rsync: Potential information leakage
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-083.NASL
    description An advisory was sent out by the rsync team regarding a security vulnerability in all versions of rsync prior to and including 2.6.2. If rsync is running in daemon mode, and not in a chrooted environment, it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it. This vulnerability allows a remote attacker to possibly read/write to/from files outside of the rsync directory. The updated packages are patched to prevent this problem.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14332
    published 2004-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14332
    title Mandrake Linux Security Advisory : rsync (MDKSA-2004:083)
oval via4
accepted 2013-04-29T04:06:42.344-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
description Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files.
family unix
id oval:org.mitre.oval:def:10561
status accepted
submitted 2010-07-09T03:56:16-04:00
title Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files.
version 24
redhat via4
advisories
bugzilla
id 130050
title CAN-2004-0792 rsync path sanitizing bug
oval
AND
  • comment Red Hat Enterprise Linux 3 is installed
    oval oval:com.redhat.rhsa:tst:20030315001
  • comment rsync is earlier than 0:2.5.7-5.3E
    oval oval:com.redhat.rhsa:tst:20040436002
  • comment rsync is signed with Red Hat master key
    oval oval:com.redhat.rhsa:tst:20030399003
rhsa
id RHSA-2004:436
released 2004-09-01
severity Moderate
title RHSA-2004:436: rsync security update (Moderate)
rpms rsync-0:2.5.7-5.3E
refmap via4
bugtraq
  • 20040816 TSSA-2004-020-ES - rsync
  • 20040817 LNSA-#2004-0017: rsync (Aug, 17 2004)
confirm http://samba.org/rsync/#security_aug04
debian DSA-538
gentoo GLSA-200408-17
mandrake MDKSA-2004:083
suse SUSE-SA:2004:026
trustix 2004-0042
Last major update 17-10-2016 - 22:49
Published 20-10-2004 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top