RSync Vulnerabilities Allow Hackers to Take Full Control of Servers – PoC Released

A series of critical security vulnerabilities in the widely-used Rsync file synchronization tool have been uncovered, exposing millions of servers to potential takeover by anonymous attackers. 

The flaws, discovered in Rsync version 3.2.7 and earlier, enable remote code execution, sensitive data leaks, and file system manipulation through five distinct attack vectors, as per a report by Github.

Proof of Concept

CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing (CVSS 9.8)

The most critical vulnerability exists in how Rsync daemons handle file checksums during synchronization.

Attackers can trigger a heap buffer overflow by sending malicious checksum data that exceeds the allocated 16-byte buffer (sum2 array).

The overflow occurs because the protocol accepts s2length values up to 64 bytes (for SHA-512 digests) without proper validation:

struct sum_buf {

    char sum2[SUM_LENGTH];  // 16-byte buffer

};

// Attacker-controlled parameter

sum->s2length = read_int(f);

read_buf(f, s->sums[i].sum2, s->s2length); // Overflow when s2length>16

This allows overwriting 48 bytes of adjacent heap memory, corrupting critical data structures.

Combined with CVE-2024-12085 (ASLR bypass), attackers gain reliable remote code execution on Debian 12 and Ubuntu systems running default Rsync configurations. 

Proof-of-concept exploits demonstrate complete server compromise through crafted synchronization requests.

CVE-2024-12085: Uninitialized Stack Data Leak (CVSS 7.5)

The checksum comparison logic leaks uninitialized stack memory through timing side channels. During file chunk verification:

char sum2[MAX_DIGEST_LEN]; // Uninitialized stack buffer

get_checksum2(map, l, sum2); // Writes 8 bytes (xxhash64)

// Compare s->s2length bytes (attacker-controlled)

if (memcmp(sum2, s->sums[i].sum2, s->s2length) != 0)

Attackers set s2length=9 to compare 1 unknown byte per request, gradually leaking stack canaries and code pointers.

This enables precise ASLR bypass required for CVE-2024-12084 exploitation1.

CVE-2024-12086: Client File Exfiltration (CVSS 8.6)

Malicious servers can exfiltrate arbitrary client files through path traversal in the xname parameter. The vulnerability stems from improper sanitization when servers send file comparison requests:

if (iflags & ITEM_XNAME_FOLLOWS) {

    read_vstring(f_in, buf, MAXPATHLEN); // Server-controlled path

}

fd1 = do_open(fnamecmp, O_RDONLY, 0); // Opens client-side file

Servers use checksum mismatches to brute-force file contents byte-by-byte, enabling theft of SSH keys, configuration files, and other sensitive data.

CVE-2024-12087: Symlink Directory Escape (CVSS 8.1)

Attackers exploit race conditions in directory caching to bypass symbolic link protections. By sending:

./malicious-dir (directory)

./malicious-dir/target-file

./malicious-dir (symlink to /etc)

Rsync clients follow the redefined symlink, writing target-file to /etc instead of the sync directory. This enables privilege escalation and system file corruption.

CVE-2024-12088: –safe-links Bypass (CVSS 6.5)

The security feature designed to prevent symlink attacks fails to account for nested links:

{DESTINATION}/a -> .

{DESTINATION}/exploit -> a/a/a/../../../etc

The validation logic calculates path depth as 4 (a/a/a/..), while actual resolution escapes to /etc. This persists even with –safe-links enabled.

All Rsync users must immediately upgrade to version 3.2.8 or apply vendor patches. Administrators should:

1. Disable anonymous Rsync daemon access if possible
2. Audit synchronization logs for unexpected checksum errors
3. Restrict client Rsync to trusted servers only

Debian and Ubuntu have released emergency updates (DSA-5432-1, USN-6670-1). The vulnerabilities underscore the risks inherent in legacy synchronization protocols and the importance of memory-safe implementations.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free