Overview

A race condition occurs when multiple processes access and manipulate the same data concurrently, and the outcome of the execution depends on the particular order in which the access takes place. If a privileged program has a race-condition vulnerability, attackers can run a parallel process to “race” against the privileged program, with an intention to change the behaviors of the program.

Environment Setup

Tasks

task 1

task 2

The ultimate goal is to gain the root privilege. The most critical step of the attack, making /tmp/XYZ point to the password file, must occur within the window between check and use; namely between the access and fopen calls in the vulnerable program.

Task 2.A: Simulating a Slow Machine

最开始的时候需要将/tmp/XYZ连接到/dev/null，这样才会保证能够进入到access函数当中

然后此时可以进行写入，但是需要在休眠10s的时候修改符号链接

可以看到对应的字符串已经添加到了目标文件当中

Task 2.B: The Real Attack

The typical strategy in race condition attacks is to run the attack program in parallel to the target program, hoping to be able to do the critical step within that time window.

the malicious.c code

and the what we need to do is modifying the .sh and run it parallelly

we can find that the passwd has already been changed

Task 2.C: An Improved Attack Method

如果XYZ变成root的，攻击将不会成功，因为使用seed权限运行的攻击程序将无法再取消链接。这是因为/tmp文件夹上有一个“sticky”位，这意味着只有文件的所有者才能删除该文件，即使该文件夹是可写的。

出现这种情况的主要原因是，攻击程序在unlink之后，symlink之前，上下文就被关闭了。因为这两个操作不是原子的，所以如果上下文切换发生在两者之间，目标Set UID程序有机会运行open函数，它将创建一个以root为所有者的新文件。之后，攻击程序将无法再对/tmp/XYZ进行更改。

为解决上述问题，将两个操作变为原子的，具体如下。不断改变XYZ链接的文件，实现攻击的条件。

Task 3: Countermeasures

Task 3.A: Applying the Principle of Least Privilege

no permission occur when it cannot open the file. And when it links to /dev/null, it can pass the accsee(), but there is no root privilege to modify the file

Task 3.B: Using Ubuntu’s Built-in Scheme

打开内置保护后，攻击也会失败。当保护机制打开时，满足以下条件之一才允许跟随符号链接：

符号链接所在文件夹不是“黏性”的
符号链接的uid和follower匹配
符号链接的所有者和文件夹的所有者匹配