Content deleted Content added
Citation bot (talk | contribs) Alter: title, template type. Add: chapter-url, chapter, date. Removed or converted URL. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Headbomb | Linked from Wikipedia:WikiProject_Academic_Journals/Journals_cited_by_Wikipedia/Sandbox2 | #UCB_webform_linked 2097/2384 |
→Examples: clarify |
||
Line 43:
{{Unsourced section|date=July 2022}}
In [[Unix]], the following [[C (programming language)|C]] code, when used in a <code>[[setuid]]</code> program, has a TOCTOU bug:
<syntaxhighlight lang="c" line="1">
if (access("file", W_OK) != 0) {
exit(1);
Line 55:
This race condition is vulnerable to an attack:
{| class="wikitable"
|+
!Victim |-
|<syntaxhighlight lang="c" line="1">
if (access("file", W_OK) != 0) {
exit(1);
}
fd = open("file", O_WRONLY);▼
// Actually writing over /etc/passwd▼
write(fd, buffer, sizeof(buffer));▼
</syntaxhighlight>
|-
<syntaxhighlight lang="c">▼
|
|After the access check, before the open, the attacker replaces <code>file</code> with a [[symlink]] to the Unix password file <code>[[/etc/passwd]]</code>:<syntaxhighlight lang="c">
symlink("/etc/passwd", "file");
</syntaxhighlight>
|-
▲|<syntaxhighlight lang="c" line="1" start="5">
▲fd = open("file", O_WRONLY);
▲write(fd, buffer, sizeof(buffer));
|
|}
In this example, an attacker can exploit the race condition between the <code>access</code> and <code>open</code> to trick the <code>setuid</code> victim into overwriting an entry in the system password database. TOCTOU races can be used for [[privilege escalation]] to get administrative access to a machine.
| |||