A recently uncovered security vulnerability (CVE-2024-12085) was found in rsync, a widely-used open-source utility that provides fast incremental file transfer and synchronization. This vulnerability allows attackers to leak memory content and manipulate the comparison of file checksums, potentially compromising the integrity of transferred files.
After a thorough analysis of the underlying flaw, we have obtained the necessary details on how the vulnerability can be exploited and how to mitigate the issue. This article will provide an in-depth look at the vulnerability and discuss the necessary patches and code snippets to fix the issue.
Background
Before diving into the details of the vulnerability, it is essential to understand the basic functionalities of rsync. Rsync is a popular utility that enables file transfer and synchronization between systems by exchanging only the differences between the files, instead of sending the entire file. This functionality relies on checksums to ensure that data integrity is maintained during transfer.
However, this reliance on checksum comparisons is precisely the cause of the CVE-2024-12085 vulnerability. If attackers manipulate the checksum length (s2length) during the comparison process, they can compare the checksum against uninitialized memory and leak one byte of uninitialized stack data at a time.
Exploit Details
The flaw was discovered when comparing file checksums in the function compare_checksums(). The tip of the problem lies in the incorrect handling of the s2length value, which allows attackers to manipulate the comparison process.
Here is the relevant code snippet
int compare_checksums(const uchar *sum1, int s1len,
const uchar *sum2, int s2len,
.bool new_csum_length = False;
int md_len = new_csum_length ? MD5_DIGEST_LEN : protocol_version < 30 ? MD4_DIGEST_LEN : ;
return memcmp(sum1, sum2, MIN(s1len, s2len ? s2len : md_len)) == ;
In the above code, if an attacker sends a specially crafted s2length parameter set to , the function automatically sets the length to md4 or md5 length since it checks for s2len ? s2len : md_len . The issue arises due to missing checks for the length, boundaries, and initialization of the involved variables.
By manipulating the s2length parameter, attackers can leverage this vulnerability to leak uninitialized stack data and potentially infer sensitive information about the transfer process or the systems involved.
References
1. Rsync Project Homepage: https://rsync.samba.org/
2. CVE-2024-12085's National Vulnerability Database entry: https://nvd.nist.gov/vuln/detail/CVE-2024-12085
3. Rsync protocol documentation: https://rsync.samba.org/tech_report/node9.html
4. Rsync mailing list discussion on CVE-2024-12085: http://lists.samba.org/archive/rsync/2024-January/subject.html
Mitigation
To fix the issue, rsync developers have provided patches for various versions. Users are advised to upgrade to the latest patched version of rsync, which contains the appropriate fixes for this vulnerability.
Here is the patch that fixes the vulnerability
--- a/checksum.c
+++ b/checksum.c
@@ -169,1 +169,3 @@
- return memcmp(sum1, sum2, MIN(s1len, s2len ? s2len : md_len)) == ;
+ if (!s2len)
+ s2len = md_len;
+ return s1len == s2len && memcmp(sum1, sum2, s2len) == ;
This patch enforces a strict equality check between the s1len and s2len values and the memcmp comparison, ensuring the correct behavior.
Conclusion
The rsync utility is widely used for file synchronization and data backup purposes, making the discovery of CVE-2024-12085 a critical issue that should be promptly addressed. By understanding the nature of the vulnerability and its exploitation details, users can take the necessary steps to safeguard their systems and ensure that their file transfers and synchronizations remain secure and uncompromised.
Timeline
Published on: 01/14/2025 18:15:25 UTC
Last modified on: 02/03/2025 20:15:32 UTC