1

Is it possible to plan for race conditions, so that you can execute specific commands at a specific time?

For example, the following code is vulnerable to a race condition. Is it possible to modify the file / replace it with a symlink exactly when the race window occurs and without trying continuously (like with while True)?

if (access("file", W_OK) != 0) {
   exit(1);
}

fd = open("file", O_WRONLY);
write(fd, buffer, sizeof(buffer));

Can I exploit this vulnerability with one attempt or one try? If the answer is true, how can I write an exploit to do this?

Is timing the execution flow with the C function sleep(seconds); possible?

techraf
  • 9,141
  • 11
  • 44
  • 62
user104787
  • 179
  • 1
  • 4
  • 12
  • Why do you limit this to "one try", when your attacker will not place any such limit on himself? Perhaps the attacker finds a way to monitor "file" for access, loads the system down with many other processes hitting the file system hard, maybe lowers the priority of your program, and then triggers his attack based on monitoring the file system watching for your initial access(). Such an attack wouldn't necessarily be limited to your code. – John Deters Mar 24 '16 at 20:45
  • How you would do this in practice – user104787 Mar 24 '16 at 20:48
  • or maybe you know some papers or tutorials of that? – user104787 Mar 24 '16 at 20:51
  • Try running the program in GDB, putting a break point right after the first check, then changing your file to a symlink and resume execution of the program in GDB. – sethmlarson Mar 25 '16 at 13:16

2 Answers2

0

You would need to be able to trace the execution of the vulnerable program somehow to detect when the code in question gets executed. One possibility would be a debugger or ptrace. But to trace the program this way you would need to have the appropriate permissions, i.e. same or higher privileges than the user executing the program. But in this case you would not need to exploit the vulnerability at all because you have the same or higher privileges already.

Another way would be to watch for specific events which gets usually executed shortly before the vulnerable code and which are visible with lower privileges. This might include the creation of files in public directories or similar. The details for these events and if they exist at all highly depend on the program you are trying to exploit, i.e. there is no general application-independent way to detect the time when the vulnerability could be exploited.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

It will vary based on a number of factors, including OS and filesystem. For example, if your code is using an NFS mount and the hack is on the fileserver then there's a reasonable chance an inotify event would do the trick. DFS can introduce weird states where a just-written file is missing for reads - I've seen this randomly take down a BI job that had been stable for years.

Of course, in your example, it would be better to just try opening the file for writing and test for success, rather than an explicit check before open.

Phil Lello
  • 1,122
  • 10
  • 15