Rsync Arbitrary File Enumeration Vulnerability

A vulnerability in Rsync versions through 3.2.7 allows a server to enumerate the contents of arbitrary files on a client's machine. This issue arises when files are transferred from the client to the server. During the transfer, the Rsync server sends checksums of local data to the client for comparison, determining what data needs to be sent. An attacker can exploit this by sending specially crafted checksum values for specific files, enabling them to reconstruct the files' contents byte by byte based on the client's responses. This vulnerability is particularly concerning as it can lead to the unauthorized disclosure of sensitive information, such as SSH keys, which could be exploited to execute malicious code on the client's machine by overwriting files like ~/.bashrc or ~/.popt.

Impact

Exploitation of this vulnerability allows a malicious Rsync server to leak the contents of arbitrary files from connected clients, potentially leading to the unauthorized disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, connect to a malicious Rsync server using a client that has Rsync version 3.2.7 or earlier. Once connected, the server can send crafted checksum values that manipulate the file transfer process, causing the client to leak file contents back to the server. This can be done by exploiting the way Rsync handles checksum comparisons, particularly by taking advantage of uninitialized stack data that can be used to infer file contents.

Remediation

Users should update to Rsync version 3.4.0 or later, where this vulnerability has been patched. Instructions for updating Rsync can be found in the Rsync project's official GitHub repository or through the Debian package management system.