Kingdom: Time and State

Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time.

Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information.

Race Condition: File System Access

C/C++
COBOL

Abstract

The window of time between when a file property is checked and when the file is used can be exploited to launch a privilege escalation attack.

Explanation

File access race conditions, known as time-of-check, time-of-use (TOCTOU) race conditions, occur when:

1. The program checks a property of a file, referencing the file by name.

2. The program later performs a file system operation using the same filename and assumes that the previously-checked property has not changed.
Example 1: The following code is from a program installed setuid root. The program performs certain file operations on behalf of non-privileged users, and uses access checks to ensure that it does not use its root privileges to perform operations that should not be available to the current user. The program uses the access() system call to check if the person running the program has permission to access the specified file before it opens the file and performs the necessary operations.


  if (!access(file,W_OK)) {
    f = fopen(file,"w+");
    operate(f);
    ...
  }
  else {
    fprintf(stderr,"Unable to open file %s.\n",file);
  }

The call to access() behaves as expected, and returns 0 if the user running the program has the necessary permissions to write to the file, and -1 otherwise. However, because both access() and fopen() operate on filenames rather than on file handles, there is no guarantee that the file variable still refers to the same file on disk when it is passed to fopen() that it did when it was passed to access(). If an attacker replaces file after the call to access() with a symbolic link to a different file, the program will use its root privileges to operate on the file even if it is a file that the attacker would otherwise be unable to modify. By tricking the program into performing an operation that would otherwise be impermissible, the attacker has gained elevated privileges.

This type of vulnerability is not limited to programs with root privileges. If the application is capable of performing any operation that the attacker would not otherwise be allowed perform, then it is a possible target.

The window of vulnerability for such an attack is the period of time between when the property is tested and when the file is used. Even if the use immediately follows the check, modern operating systems offer no guarantee about the amount of code that is executed before the process yields the CPU. Attackers have a variety of techniques to expand the length of the window of opportunity in order to make exploits easier. However, even with a small window, an exploit attempt can simply be repeated over and over until it is successful.

Example 2: The following code creates a file and then changes the owner of the file.


    fd = creat(FILE, 0644);  /* Create file */
    if (fd == -1)
        return;
    if (chown(FILE, UID, -1) < 0) {  /* Change file owner */
      ...
    }

The code assumes that the file operated upon by the call to chown() is the same as the file created by the call to creat(), but that is not necessarily the case. Since chown() operates on a file name and not on a file handle, an attacker may be able to replace the file with a link to file the attacker does not own. The call to chown() would then give the attacker ownership of the linked file.

References

[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley

[2] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367

[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362

[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178

[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3

[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 5.1, Rule 1.3

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-6 Configuration Settings (P1), SA-11 Developer Security Testing and Evaluation (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-6 Configuration Settings, SA-11 Developer Testing and Evaluation

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)

[12] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation

[21] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362

[22] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362

[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001995 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001410 CAT II, APSC-DV-001995 CAT II

desc.controlflow.cpp.race_condition_file_system_access

Abstract

The window of time between when a file property is checked and when the file is used can be exploited to launch a privilege escalation attack.

Explanation


  CALL "CBL_CHECK_FILE_EXIST" USING
      filename
      file-details
      RETURNING status-code
  END-CALL

  IF status-code NOT = 0
      MOVE 3 to access-mode
      MOVE 0 to deny-mode
      MOVE 0 to device

      CALL "CBL_CREATE_FILE" USING
          filename
          access-mode
          deny-mode
          device
          file-handle
          RETURNING status-code
      END-CALL
  END-IF

The call to CBL_CHECK_FILE_EXIST behaves as expected and returns a non-zero value, indicating that the file does not exist. However, because both CBL_CHECK_FILE_EXIST and CBL_CREATE_FILE operate on filenames rather than on file handles, there is no guarantee that the filename variable still refers to the same file on disk when it is passed to CBL_CREATE_FILE that it did when it was passed to CBL_CHECK_FILE_EXIST. If an attacker creates filename after the call to CBL_CHECK_FILE_EXIST, the call to CBL_CREATE_FILE will fail, leading the program to believe that the file is empty, when in fact it contains data controlled by the attacker.

The window of vulnerability for such an attack is the period of time between when the property is tested and when the file is used. Even if the use immediately follows the check, modern operating systems offer no guarantee about the amount of code that is executed before the process yields the CPU. Attackers have a variety of techniques to expand the length of the window of opportunity in order to make exploits easier. However, even with a small window, an exploit attempt can simply be repeated over and over until it is successful.

Furthermore, this type of vulnerability might apply to a program with root privileges that performs certain file operations on behalf of non-privileged users, and uses access checks to ensure that it does not use its root privileges to perform operations that should not be available to the current user. By tricking the program into performing an operation that would otherwise be impermissible, the attacker might gain elevated privileges.