Rclone Unauthenticated RC Options/Set Endpoint Vulnerability Allows Authorization Bypass and Access to Sensitive Functions

A vulnerability exists in Rclone versions 1.45.0 prior to 1.73.5, where the RC endpoint 'options/set' is available without authentication. This endpoint can modify global runtime settings, including the RC option block. An unauthenticated attacker can exploit this to disable authentication for various RC methods that require it, on servers that are accessible and not protected by global HTTP authentication. This exploitation can lead to unauthorized access to critical administrative functions and commands.

Impact

Exploiting this vulnerability bypasses authorization on the RC administrative interface, allowing access to sensitive configuration and operational functions without authentication. This could further enable unauthorized reading of local files, disclosure of credentials or configuration, enumeration of the filesystem, and execution of commands.

Reproduction

To reproduce this vulnerability, start an Rclone RC server without authentication and with the RC API enabled. Once the server is running, use the 'options/set' endpoint to disable authentication by setting 'rc.NoAuth' to true. After successfully making this change, previously protected RC methods can be called without credentials, bypassing the intended authorization requirements.

Remediation

Users can update to Rclone version 1.73.5 or later, where this vulnerability has been patched.