Race Condition in server hardening
Play server hardening Labs on this vulnerability with SecureFlag!
Race conditions in servers may affect different parts of the operating system, starting from the down to system applications and scripts.
A frequent manifestation of Race Conditions in operating systems involves file system access, where the time window between when a file is checked and when the file is used can be exploited by a local attacker to attack vulnerable software.
Insecure Temporary File Handling
The Linux file system has many shared folders and files that any user on the system can manipulate. While this is usually completely fine and well designed, poor use of these areas, such as repeated file creation and deletion, may allow a user to preemptively write a file in one of these areas compromising the integrity. This could be especially bad if another user runs those files in a script.
To stop this from being a problem, users can, when creating files, use tools such as mktemp to create random names and locations, which prevents a user from being able to preemptively create a malicious file in its place.
Vulnerable Examples
Simple applications that check a file is owned by the user before modifying it in some way can be easily attacked after the check but before the modification if not using locks.
if ((fd = open (argv [1], O_WRONLY, 0)) < 0) {
fprintf (stderr, "Can't open %s\n", argv [1]);
exit(EXIT_FAILURE);
}
fstat (fd, & st);
if (st . st_uid != getuid ()) {
fprintf (stderr, "%s not owner !\n", argv [1]);
exit(EXIT_FAILURE);
}
if (! S_ISREG (st . st_mode)) {
fprintf (stderr, "%s not a normal file\n", argv[1]);
exit(EXIT_FAILURE);
}
if ((fp = fdopen (fd, "w")) == NULL) {
fprintf (stderr, "Can't open\n");
exit(EXIT_FAILURE);
}
fprintf (fp, "%s", argv [2]);