Time-of-Check to Time-of-Use (TOCTOU)

Level 10 :: Andrew Griffiths' Exploit Education

Can occur when there is a time gap between a program checking for a condition and a program actually using something, and the thing it checked can be swapped out during that time gap.

For example, if a program checks that a file is not owned by root, and will read that file if the check succeeds. If you have a normal file at /tmp/exploit, and during the time gap, you swap it out for a symlink to /etc/shadow, then /etc/shadow will be read. Note that the filename of the symlink will remain the same, just the location where it’s linking to will change.

This program is very useful for quickly swapping out files. It swaps the filenames of two provided files:

35c3ctf_chals/rename.c at master · sroettger/35c3ctf_chalsGitHub

Prevention

Get a file descriptor once and then keep using that file descriptor.

If you really must use a file path twice (like in system(cat ${file_path}), or if you have to pass a file path to another program), then you can pass in /proc/PROCESS_ID/fd/FILE_DESCRIPTOR_NUMBER. That is a direct symlink to a file that was opened.

Also, if the file name is changed, that was opened, then the symlink will also point to the changed filename - it’s a file descriptor, so it updates. Even if the file is deleted, you can still read from it, because the handle still exists.