CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.
执行流程
步骤 1 Explore
The adversary explores to gauge what level of access they have.
步骤 2 Experiment
The adversary confirms access to a resource on the target host. The adversary confirms ability to modify the targeted resource.
步骤 3 Exploit
The adversary decides to leverage the race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary can replace the resource and cause an escalation of privilege.
前提条件
- A resource is access/modified concurrently by multiple processes.
- The adversary is able to modify resource.
- A race condition exists while accessing a resource.
所需技能
后果影响
影响范围: Integrity
技术影响: Modify Data
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
影响范围: Confidentiality Integrity Availability
技术影响: Alter Execution Logic
影响范围: Confidentiality
技术影响: Read Data
影响范围: Availability
技术影响: Resource Consumption
说明: Denial of Service
缓解措施
Use safe libraries to access resources such as files.
Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition.
Use synchronization to control the flow of execution.
Use static analysis tools to find race conditions.
Pay attention to concurrency problems related to the access of resources.
示例实例
The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client. See also: CVE-2007-1057