Skip to content

PoC and notes about TOCTOU (race condition) vulnerability in C language and tested on GNU/Linux (Ubuntu 16.04).

License

Notifications You must be signed in to change notification settings

davidenetti/TOCTOU_Vulnerability

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TOCTOU Vulnerability

PoC and notes about TOCTOU (race condition) vulnerability in C language and tested on GNU/Linux (Ubuntu 16.04).

Description

This PoC tries to exploit a race condition present in a vulnerable program written in C ("vulp.c"). The race condition is located between the syscalls "access" and "fopen" (time of check/time of use) of the "vulp.c" file. During the time between these two calls, with another program written in C ("attackrace.c") we create a symbolic link associated with the file /tmp/XYZ (created by us) and associate it first with a file of empty text and created by us ("/home/seed/Desktop/test.txt") and then another file (/etc/passwd). The symbolic link is switched infinitely (while(1)) between these two values. Finally, a bash script was written to attack the vulnerable process and check its status (the file is "checkrace.sh"). The objective is to write a new user with the hash value of empty password inside the file "passwd". To do this, I created a single-line file called "valueToAppend" and subsequently its content becomes the input of the vulp file.

Important notes

Compile the vulp.c: gcc vulp.c -o vulp

Set the Set-UID on the vulnerable program (in order to execute this process with the root privileges and write inside the /etc/passwd file):

  • sudo chown root:root vulp
  • sudo chmod 4755 vulp

Compile the attackrace.c:

  • gcc attackrace.c -o attackrace
  • sudo chmod 755 attackrace

To execute the attacks open two terminal tabs and do the following:

  1. ./attackrace
  2. ./checkrace.sh -> in the other tab

I recommend removing the user added to the passwd file at the end of the tests. I also remind you to adapt the files in this PoC to your context (pay attention to filepaths!).

Tipically in newer versions of Linux you have to disable the sticky bits symlink follow protection. In Ubuntu 16.04 sudo systemctl -w fs.protected_symlinks=0. Check online for other versions of GNU/Linux.

About

PoC and notes about TOCTOU (race condition) vulnerability in C language and tested on GNU/Linux (Ubuntu 16.04).

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published