Rsync Path Traversal Vulnerability via Symbolic Links

A path traversal vulnerability has been identified in the rsync utility, specifically in versions through 3.2.7. This vulnerability arises when the '--inc-recursive' option is enabled, either by default for many client options or by the server without client acknowledgment. The issue stems from inadequate verification of symbolic links, allowing a malicious server to manipulate file writing locations on the client, potentially overwriting critical files. This vulnerability is particularly concerning as it can be exploited to exfiltrate sensitive data or execute arbitrary code by overwriting files that are executed as scripts.

Impact

Exploitation of this vulnerability allows a server to write files to arbitrary locations on the client's machine, bypassing the intended destination directory. This could lead to overwriting important files, such as configuration or script files, with malicious content. When combined with other vulnerabilities, such as a heap buffer overflow and an information leak, this could allow for arbitrary code execution on the client.

Reproduction

To reproduce this vulnerability, connect to a malicious rsync server that has the '--inc-recursive' option enabled. Ensure that symbolic link syncing is activated on the client. The server can then send a crafted file list that exploits the path traversal vulnerability by using symbolic links to direct file writes outside of the intended directory.

Remediation

Users can update to rsync version 3.4.0 or later, where this vulnerability has been patched. For Red Hat Enterprise Linux 8 and 9, the update is available through the Red Hat Product Errata RHSA-2025:2600 and RHSA-2025:7050, respectively.