Rsync Uninitialized Memory Vulnerability Leading to Information Disclosure

A vulnerability in Rsync versions through 3.2.7 allows for information leakage via uninitialized stack memory. This issue arises when Rsync's daemon compares file checksums. An attacker can manipulate the checksum length to force a comparison with uninitialized memory, leaking one byte of sensitive data at a time. Over multiple requests, up to MAX_DIGEST_LEN - 8 bytes can be extracted, potentially bypassing Address Space Layout Randomization (ASLR).

Impact

Exploitation of this vulnerability allows an attacker to leak uninitialized stack data, which could include pointers to critical memory locations, such as those used by the heap or stack cookies. This information could be used to bypass security mechanisms like ASLR, leading to further exploitation.

Reproduction

The vulnerability can be reproduced by running an Rsync server with the daemon option enabled. An attacker can then send a crafted checksum that manipulates the checksum length, causing the server to compare it with uninitialized memory on the stack. This can be done by exploiting the Rsync protocol's checksum handling, particularly by using a version of Rsync that supports SHA256 digests, which allows for greater manipulation of the checksum data.

Remediation

Users can upgrade to Rsync version 3.4.0 or later, where this vulnerability has been patched.