CVE-2002-0048

rsync - Remote Code Execution via Signedness Error in I/O Functions

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2002-0048. PoCs published by sorbo, Teso.

AI-analyzed exploit summary This exploit targets a frame pointer overflow in rsync <= 2.5.1, allowing arbitrary memory writes via a negative array index. It achieves remote code execution (RCE) as root by corrupting the stack and redirecting execution to shellcode.

Description

Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server.

Exploits (3)

exploitdb WORKING POC VERIFIED
by sorbo · cremotelinux
https://www.exploit-db.com/exploits/21242

This exploit targets a frame pointer overflow in rsync <= 2.5.1, allowing arbitrary memory writes via a negative array index. It achieves remote code execution (RCE) as root by corrupting the stack and redirecting execution to shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: rsync <= 2.5.1
No auth needed
Prerequisites: Network access to rsync service · Chroot must be disabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Teso · cremotelinux
https://www.exploit-db.com/exploits/399

This exploit targets a buffer overflow vulnerability in rsync versions <= 2.5.1, allowing remote code execution via crafted input with negative lengths. It includes shellcode for Linux and FreeBSD to spawn a shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: rsync <= 2.5.1
No auth needed
Prerequisites: Network access to rsync service (port 873) · Vulnerable rsync version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Teso · cremotelinux
https://www.exploit-db.com/exploits/398

This exploit targets a buffer overflow vulnerability in rsync versions up to 2.5.1, allowing remote code execution via a crafted payload. It leverages a NULL byte off-by-one error in read_sbuf to overwrite memory and execute shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: rsync <= 2.5.1
No auth needed
Prerequisites: Network access to the rsync service (port 873) · Vulnerable rsync version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/3958
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=101223214906963&w=2
Various Sources vendor-advisory x_refsource_engarde
http://www.linuxsecurity.com/advisories/other_advisory-1853.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=101223603321315&w=2
Vendor Advisory vendor-advisory x_refsource_conectiva
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000458
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/800635
Patch vendor-advisory x_refsource_debian
http://www.debian.org/security/2002/dsa-106
Patch, Vendor Advisory vendor-advisory x_refsource_suse
http://lists.suse.com/archives/suse-security-announce/2002-Jan/0003.html
Vendor Advisory vendor-advisory x_refsource_caldera
http://www.caldera.com/support/security/advisories/CSSA-2002-003.0.txt
Third Party Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/7993.php
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2002-018.html
Various Sources vendor-advisory x_refsource_freebsd
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:10.rsync.asc
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://online.securityfocus.com/advisories/3839
Various Sources vendor-advisory x_refsource_mandrake
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-009.php

Scores

EPSS 0.3402
EPSS Percentile 98.2%

Details

Status published
Products (9)
andrew_tridgell/rsync 2.3.1
andrew_tridgell/rsync 2.3.2
andrew_tridgell/rsync 2.3.2_1.2 (6 CPE variants)
andrew_tridgell/rsync 2.4.1
andrew_tridgell/rsync 2.4.3
andrew_tridgell/rsync 2.4.4
andrew_tridgell/rsync 2.4.6
andrew_tridgell/rsync 2.5.0_1
andrew_tridgell/rsync 2.5.1
Published Feb 27, 2002
Tracked Since Feb 18, 2026