CVE-2024-12085 - How a Simple Checksum Bug in Rsync Can Leak Stack Data Byte by Byte

In early 2024, a subtle but critical security flaw was discovered in rsync, the widely-used tool for fast file synchronization. Tracked as CVE-2024-12085, this vulnerability opens up an unexpected data leakage channel that can reveal fragments of a system’s memory—one byte at a time. In this exclusive guide, we’ll break down how this bug works, show you a code snippet, and walk through an exploitation scenario in simple terms.

What is Rsync, and Why Is This Bug Important?

rsync works by comparing files between systems using efficient checksums to only transfer changed blocks. It’s everywhere: backing up servers, mirroring websites, keeping huge code repositories in sync. So a flaw that leaks memory, even slowly, can have nasty consequences—think passwords, credentials, or other sensitive stack data going out for any authenticated user to grab.

Details on CVE-2024-12085

### CVE ID: CVE-2024-12085
Affected software: rsync
Bug type: Stack memory disclosure
Attack vector: Manipulating file checksum handling
CVSS score: (see the Red Hat advisory for updates)

How Does the Exploit Work?

At its core, this is a simple programming oversight. When rsync compares file checksums—used to detect changes—it doesn’t always initialize all the memory it uses. Specifically, the checksum length (s2length) can be manipulated by a remote attacker. If it’s set wrongly, the checksum comparison reads (and sometimes then sends back) uninitialized values.

This means each time the attacker runs the exploit, they can leak one byte of stack data. It’s slow, but it’s a reliable leak.

Here’s a simplified version of the buggy logic in rsync’s checksum comparison

int match = 1;
for (int i = ; i < s2length; i++) {
    if (checksum1[i] != checksum2[i]) {
        match = ;
        break;
    }
}

If s2length is larger than the actual checksum, and checksum2 isn't fully initialized, this loop might compare an attacker-controlled value with whatever random memory was on the stack at that spot.

The response might then leak “did it match or not” for each position—essentially a 1-byte oracle.

How an Attacker Can Exploit This

Let’s say you run a server with rsync enabled. An attacker connects and uploads (or pushes) cleverly-crafted files. By tricking rsync to perform checksum comparisons with their chosen s2length, they can:

Force a comparison between a known value and an uninitialized byte.

2. Observe rsync’s behavior (hint: the "match/no match" result can be used to deduce actual memory bytes).
3. Repeat the process, one byte at a time, to dump whatever was left uninitialized on the stack—potentially passwords, tokens, or other data.

This is slow, but if attackers are patient—and for valuable targets, they always are—they could collect sensitive info with nothing but rsync and remote access.

This demonstrates how an attacker might interact with an rsync server to try to trigger the bug

import socket

def send_fake_rsync_packet(ip, port, checksum, s2length):
    s = socket.socket()
    s.connect((ip, port))
    # This is just a mockup. Real rsync traffic is more complex!
    packet = b'MAGIC' + checksum + bytes([s2length])
    s.sendall(packet)
    response = s.recv(1024)
    s.close()
    return response

# Attacker guesses values to deduce stack memory, one position at a time
for guess in range(256):
    response = send_fake_rsync_packet('target.rsync.server', 873, b'\x00'*16, 17)  # 1 byte over
    if b"match" in response:
        print(f"Leaked stack byte: {guess}")
        break

(Note: Real exploitation requires knowledge of rsync's wire protocol, but this sketch shows the idea.)

Mitigations and Fixes

- Patched versions are available! See the official rsync download page.

Upgrade immediately: Ensure both server and client sides are running the latest release.

- Limit rsync access: Only allow trusted users and networks, and consider disabling rsync if you don’t need it running.

References

- CVE-2024-12085 (NVD)
- Red Hat CVE Page
- rsync official changelog
- Debian Security Advisory (DSA-5654-1)
- Exploit-DB rsync vulnerabilities

Final Thoughts

Even small memory leaks like this can be devastating on big, busy systems. This bug in rsync is a reminder that uninitialized memory is a ticking time bomb—and that every byte can count for attackers. If you’re a sysadmin or developer, patch fast, limit exposure, and always check those change logs!

Stay safe, and keep your files and memory locked down!

Timeline

Published on: 01/14/2025 18:15:25 UTC
Last modified on: 02/03/2025 20:15:32 UTC