A comprehensive demonstration of Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerabilities in Unix-like systems. This lab explores how symbolic link attacks can exploit the time window between access permission checks and file operations in setuid programs.
Click the image above to watch a complete walkthrough of this lab
This repository contains a vulnerable C program and attack scripts that demonstrate a classic race condition vulnerability. The vulnerable program appears harmless at first glance but contains a critical flaw in how it handles file access permissions, allowing attackers to manipulate symbolic links and gain unauthorized access to protected system files.
A setuid root program that:
- Accepts user input (up to 50 characters)
- Checks write permissions for
/tmp/XYZusingaccess() - Opens and appends user input to the file if permission check passes
- Contains a race condition between the permission check and file operation
Bash script that:
- Monitors changes to
/etc/passwdfile - Continuously executes the vulnerable program with crafted input
- Stops execution when the target file has been successfully modified
- Demonstrates the persistence required for successful race condition attacks
The vulnerability exists in the time window between:
- Time of Check:
access(fn, W_OK)- checking write permissions - Time of Use:
fopen(fn, "a+")- actually opening the file
During this brief window, an attacker can:
- Remove the original
/tmp/XYZfile - Create a symbolic link from
/tmp/XYZto a protected file (e.g.,/etc/passwd) - Cause the program to write to the protected file instead
- Target Selection:
/etc/passwd- the system password file - Payload Creation: Crafted user entry with root privileges (UID 0)
- Symbolic Link Manipulation: Rapidly switching
/tmp/XYZbetween regular file and symbolic link - Privilege Escalation: Adding a new root account without password
- Linux system (Ubuntu/Debian preferred)
- GCC compiler
- Root/sudo access for initial setup
Ubuntu 10.10+ includes built-in protection against symbolic link attacks. Disable this protection:
sudo sysctl -w fs.protected_symlinks=0To re-enable protection:
sudo sysctl -w fs.protected_symlinks=1- Compile the vulnerable program:
gcc vulp.c -o vulp- Set appropriate permissions (setuid root):
sudo chown root vulp
sudo chmod 4755 vulp- Make scripts executable:
chmod +x target_process.shThe attack payload creates a new user entry for /etc/passwd:
test:U6aMy0wojraho:0:0:test:/root:/bin/bash
Where:
test: UsernameU6aMy0wojraho: Passwordless hash (empty password)0: User ID (root privilege)0: Group ID (root group)
- Start the target process:
./target_process.sh- Run the attack process (in separate terminal):
./attack.sh # (Attack script creating symbolic links)-
Monitor for success: The target process will output "STOP... The passwd file has been changed" when successful
-
Test privilege escalation:
su test # No password required
id # Should show uid=0 (root)- TOCTOU Vulnerabilities: Understanding time-based race conditions
- Setuid Program Risks: How privilege escalation can be exploited
- Symbolic Link Attacks: Manipulating file system links for unauthorized access
- System File Protection: Importance of atomic operations and proper validation
- Race Condition Exploitation: Timing attacks against file operations
- Symbolic Link Manipulation: Rapid switching between file types
- Privilege Escalation: Gaining root access through system file modification
- Persistence Mechanisms: Continuous attack attempts until success
- Use file descriptors consistently: Open file once and reuse the descriptor
- Implement atomic operations: Use
openat()withO_NOFOLLOWflag - Avoid TOCTOU patterns: Eliminate separate check and use operations
- Validate file types: Ensure files are not symbolic links before use
- Enable symbolic link protection: Keep
fs.protected_symlinks=1 - Use temporary directories with proper permissions: Restrict access to temp files
- Implement mandatory access controls: SELinux, AppArmor, etc.
- Regular security audits: Identify and fix TOCTOU vulnerabilities