Signature Detail

RSYNC: Chunk-Checksum Overflow

This signature detects attempts to exploit a known vulnerability on an rsync server. Rsync versions 2.6 and earlier are vulnerable. Rsync allows a client to specify the number of chunk checksums during an rsync session. Attackers can instruct an rsync server to use an overly large number of chunk checksums, forcing the server into an overflow condition and enabling the attackers to execute code with rsync daemon privileges (typically "nobody").

Extended Description

rsync has been reported prone to an undisclosed heap overflow vulnerability when running in daemon mode. The issue has been reported to be remotely exploitable and will provide for an execution of arbitrary code.

Affected Products

• Apple Mac OS X 10.2.8
• Apple Mac OS X 10.3.2
• Apple Mac OS X Server 10.2.8
• Apple Mac OS X Server 10.3.2
• EnGarde Secure Linux Secure Community 1.0.1
• EnGarde Secure Linux Secure Community 2.0.0
• EnGarde Secure Linux Secure Professional 1.1.0
• EnGarde Secure Linux Secure Professional 1.2.0
• EnGarde Secure Linux Secure Professional 1.5.0
• Red Hat Fedora Core1
• Red Hat rsync-2.4.6-2.i386.rpm
• Red Hat rsync-2.4.6-5.i386.rpm
• Red Hat rsync-2.4.6-5.ia64.rpm
• Red Hat rsync-2.5.4-2.i386.rpm
• Red Hat rsync-2.5.5-1.i386.rpm
• Red Hat rsync-2.5.5-4.i386.rpm
• rsync 2.3.1
• rsync 2.3.2
• rsync 2.4.0 .0
• rsync 2.4.1
• rsync 2.4.3
• rsync 2.4.4
• rsync 2.4.5
• rsync 2.4.6
• rsync 2.4.8
• rsync 2.5.0 .0
• rsync 2.5.1
• rsync 2.5.2
• rsync 2.5.3
• rsync 2.5.4
• rsync 2.5.5
• rsync 2.5.6
• SGI ProPack 2.3.0
• Slackware Linux 8.1.0
• Slackware Linux 9.0.0
• Slackware Linux 9.1.0
• Slackware Linux -Current
• Slackware Slackware Linux 8.1
• Slackware Slackware Linux 9.0
• Slackware Slackware Linux 9.1
• Sun Cobalt Qube 3
• Sun Cobalt RaQ 4
• Sun Cobalt RaQ XTR

References

• BugTraq: 9153
• CVE: CVE-2003-0962
• URL: http://marc.theaimsgroup.com/?l=bugtraq&m=107055681311602&w=2
• URL: http://www.kb.cert.org/vuls/id/325603