Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

rsynxOSX.txt

🗓️ 21 Sep 2004 00:00:00Reported by Matt JohnstonType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 20 Views

RsyncX for OS X has serious privilege escalation vulnerabilities and insecure file usage issues.

Code
`Product: RsyncX is a frontend for rsync running on OS X,  
with additional features such as crontab editing.  
  
http://www.macosxlabs.org/rsyncx/rsyncx.html  
  
Problems:  
  
1) RsyncX is installed setuid root and setgid wheel.  
  
Upon execution, the program drops root privileges (only via  
seteuid(getuid()) ). However it does not drop wheel-group  
privileges. This allows any user to execute arbitrary  
programs with egid=wheel. I assume it's also vulnerable to  
other attacks given it doesn't totally drop root privileges,  
though I didn't investigate that.  
  
Since "defaults" is run according to the user's path,  
System\ Preferences.app can be replaced with an arbitrary  
program as follows:  
  
First, make a backup of System\ Preferences.app  
  
Create an executable file ~/bin/defaults with contents of:  
  
=============================  
#!/bin/sh   
mv "/Applications/System Preferences.app/Contents" "/Applications/System Preferences.app/oldcont"  
cp -r "/Applications/Calculator.app/Contents" "/Applications/System Preferences.app/Contents"  
=============================  
  
Then run RsyncX with ~/bin in your path:  
  
PATH=~/bin:$PATH /Applications/Utilities/RsyncX.app/Contents/MacOS/RsyncX  
  
Click on System Preferences, and is now a calculator.  
  
2) RsyncX uses a fixed file in /tmp allowing /etc/crontab to be  
user-controlled.  
  
When using the scheduler component of RsyncX, /tmp/cron_rsyncxtmp  
is insecurely used. A user can create a dir /tmp/blahdir,  
then   
ln -s /tmp/blahdir/file /tmp/cron.rsyncxtmp  
  
After RsyncX scheduler is used by an admin, /etc/crontab  
will become a symlink pointing to /tmp/blahdir/file.  
/tmp/blahdir is controlled by the user. Issues probably also  
exist with the "chown root; chmod u+s" on that file - I  
haven't fully investigated that.  
  
  
  
Workarounds:  
  
For setuid/setgid issues, change permissions on RsyncX so  
that it is only executable by admins, or not installed  
setuid or setgid.  
  
For the /tmp insecurity, don't use the RsyncX scheduler.  
  
Versions:  
  
RsyncX 2.1 was tested.  
  
Developer Response:  
  
Regarding the failure to drop gid=wheel, I was told that the  
program uses Apple Security Services to control authorized  
access, and that "any admin can gain root privs in OS X". I  
received no response when I confirmed that it was _any_  
user, not just admins.  
  
With the /tmp insecurity, I was told that there are a few  
bugs in the scheduler.   
  
These were reported to the developer on 8 Sept 2004.  
  
  
Matt Johnston   
matt ucc.asn.au  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Sep 2004 00:00Current
7.4High risk
Vulners AI Score7.4
rsyncxos xsecurity vulnerabilitiesprivilege escalationsetuid issuesinsecure file usage.
20