Rsync Heap-Based Buffer Overflow Vulnerability Allowing Arbitrary Code Execution

A heap-based buffer overflow vulnerability has been identified in the Rsync daemon, specifically in versions 3.2.7 and 3.3.0. This vulnerability arises from improper handling of attacker-controlled checksum lengths, which can lead to out-of-bounds writes in the checksum buffer. When the maximum digest length exceeds a fixed limit of 16 bytes, an attacker can exploit this flaw to overwrite memory, potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for a heap-based buffer overflow, where an attacker can write beyond the allocated memory buffer. This type of vulnerability can often be exploited to execute arbitrary code on the affected system.

Reproduction

To reproduce this vulnerability, Rsync must be running as a daemon (rsync --daemon) on a server that allows anonymous read access. The vulnerability can be triggered by a client that sends a checksum length greater than 16 bytes, which is then improperly handled by the server, causing a heap-based buffer overflow.

Remediation

Users are advised to update to Rsync version 3.4.0 or later, where this vulnerability has been patched. For systems that provide anonymous read access via Rsync, such as public mirror hosts, there are no reasonable mitigation options available.