Content deleted Content added
m robot Adding: de:Time-Of-Check-to-Time-Of-Use-Problem |
m →access Example: I updated the example to show how TOCTTOU races can be used to escalate privilege and the interleaving. Also, I tried to make the implication of the example more precise. |
||
Line 12:
fd = open(file, O_RDONLY);
write(fd, buffer, sizeof(buffer));
</source>
Here, ''access'' is intended to check whether the real user who executed the setuid program would normally be allowed to read the file (i.e., ''access'' checks the [[real userid]] rather than [[effective userid]]).
Line 18:
This race condition is vulnerable to an attack:
{| border="1" cellpadding="2"
|Victim
|Attacker
|-
|<source lang="c">
if (access(file, R_OK) != 0) {
exit(1);
}
fd = open("file", O_RDWR);
// Actually writing over /etc/passwd
write(fd, buffer, sizeof(buffer));
</source>
||
<source lang="c">
// After the access check
//
symlink("file", "/etc/passwd");
// Before the open, "file" points to the password database
//
</source>
|}
In this example, an attacker can exploit the race condition between the access and open to trick the setuid victim into overwriting an entry in the system password database. TOCTTOU races can be used for [privilege escalation], to get administrative access to a machine.
Although this sequence of events requires precise timing, it is possible for an attacker to arrange such conditions without too much difficulty.
The implication is that
== References ==
| |||