Rsync TOCTOU Race Condition Vulnerability Allows Arbitrary File Write and Privilege Escalation

A time-of-check to time-of-use (TOCTOU) race condition has been identified in Rsync versions prior to 3.4.3. This vulnerability occurs in the daemon file handling process, allowing attackers to manipulate file writes by replacing parent directory components with symbolic links. Exploitation of this race condition can lead to the creation or overwriting of arbitrary files, including sensitive system files, potentially allowing for privilege escalation if the daemon operates with elevated rights. The vulnerability is only exploitable when the chroot setting is disabled.

Impact

Exploitation of this vulnerability can result in unauthorized file modifications, including overwriting critical system files, and may lead to privilege escalation when the Rsync daemon is running with elevated privileges.

Reproduction

To reproduce this vulnerability, configure an Rsync daemon with 'use chroot = no' and ensure it is running with elevated privileges. An attacker with write access to a module path can then exploit the TOCTOU race condition by replacing a parent directory component with a symbolic link, redirecting file writes outside the intended directory.

Remediation

Users can upgrade to Rsync version 3.4.3 or later, where this vulnerability has been fixed.