Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

rsynxOSX.txt

🗓️ 21 Sep 2004 00:00:00Reported by Matt JohnstonType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 18 Views

RsyncX for OS X has serious privilege escalation vulnerabilities and insecure file usage issues.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`Product: RsyncX is a frontend for rsync running on OS X,  
with additional features such as crontab editing.  
  
http://www.macosxlabs.org/rsyncx/rsyncx.html  
  
Problems:  
  
1) RsyncX is installed setuid root and setgid wheel.  
  
Upon execution, the program drops root privileges (only via  
seteuid(getuid()) ). However it does not drop wheel-group  
privileges. This allows any user to execute arbitrary  
programs with egid=wheel. I assume it's also vulnerable to  
other attacks given it doesn't totally drop root privileges,  
though I didn't investigate that.  
  
Since "defaults" is run according to the user's path,  
System\ Preferences.app can be replaced with an arbitrary  
program as follows:  
  
First, make a backup of System\ Preferences.app  
  
Create an executable file ~/bin/defaults with contents of:  
  
=============================  
#!/bin/sh   
mv "/Applications/System Preferences.app/Contents" "/Applications/System Preferences.app/oldcont"  
cp -r "/Applications/Calculator.app/Contents" "/Applications/System Preferences.app/Contents"  
=============================  
  
Then run RsyncX with ~/bin in your path:  
  
PATH=~/bin:$PATH /Applications/Utilities/RsyncX.app/Contents/MacOS/RsyncX  
  
Click on System Preferences, and is now a calculator.  
  
2) RsyncX uses a fixed file in /tmp allowing /etc/crontab to be  
user-controlled.  
  
When using the scheduler component of RsyncX, /tmp/cron_rsyncxtmp  
is insecurely used. A user can create a dir /tmp/blahdir,  
then   
ln -s /tmp/blahdir/file /tmp/cron.rsyncxtmp  
  
After RsyncX scheduler is used by an admin, /etc/crontab  
will become a symlink pointing to /tmp/blahdir/file.  
/tmp/blahdir is controlled by the user. Issues probably also  
exist with the "chown root; chmod u+s" on that file - I  
haven't fully investigated that.  
  
  
  
Workarounds:  
  
For setuid/setgid issues, change permissions on RsyncX so  
that it is only executable by admins, or not installed  
setuid or setgid.  
  
For the /tmp insecurity, don't use the RsyncX scheduler.  
  
Versions:  
  
RsyncX 2.1 was tested.  
  
Developer Response:  
  
Regarding the failure to drop gid=wheel, I was told that the  
program uses Apple Security Services to control authorized  
access, and that "any admin can gain root privs in OS X". I  
received no response when I confirmed that it was _any_  
user, not just admins.  
  
With the /tmp insecurity, I was told that there are a few  
bugs in the scheduler.   
  
These were reported to the developer on 8 Sept 2004.  
  
  
Matt Johnston   
matt ucc.asn.au  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
21 Sep 2004 00:00Current
7.4High risk
Vulners AI Score7.4
rsyncxos xsecurity vulnerabilitiesprivilege escalationsetuid issuesinsecure file usage.
18
.json
Report