CVSS 0.0 CVE-2021-3755
CVSS 0.0 NVD score not yet provided.
Rejected A command injection vulnerability was found in Rsync. An attacker can use this vulnerability to execute arbitrary commands on a remote host via arguments passed to Rsync for a copy operation. The attacker needs to know the SSH login password to be able to exploit this issue.
Description
Note
The described behavior is not a vulnerability, but the usual procedure for applications that communicate via SSH.
This command execution is similar to that described in CVE-2020-15778. However, because it is not a bug in the “rsync” protocol, this CVE entry was rejected.
rsync starts an application on the remote server, which is then used for communication.
When starting the communication, any parameters can be passed. Because they are executed by the standard shell, it is possible to use arbitrary functions of this shell. This includes functions like “command expansion” and similar.
This behavior is similar to execute following command:
$ ssh remoteserver -C "ls"
In this case a remote command is executed. This command uses the same method as the rsync command when starting the rsync server component.
Test with SSH-MITM
The man in the middle server is able to modify the sent command. This allows to execute arbitrary commands as the user on the remote server without the need to open a shell.
To inject additional commands during a file transfer from the client to the server you have to start ssh-mitm with following arguments:
$ ssh-mitm server --scp-interface replace-command \
--scp-append-string '`touch /home/testuser/exploit.sh`'
On the client side, rsync is started with following command:
$ rsync -e 'ssh -p 10022 -A' 'testuser@127.0.0.1:test.txt' .