-
Notifications
You must be signed in to change notification settings - Fork 0
/
insecure-file-access.c
53 lines (49 loc) · 1.94 KB
/
insecure-file-access.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
/*
* An insecure way to check if the current user has write access to a file,
* demonstrating Time-of-Check Time-of-Use vulnerability.
*
* Time-of-Check Time-of-Use is a race condition in which the state of a
* resource (typically a file) is changed after the check, invalidating the
* check itself.
*
* In our demonstration, we have two linux users - abhishek and sachin and
* two linux files - temporary-file, is owned by abhishek and
* privileged-file, owned by sachin. abhishek does not have read, write or
* execute permissions to the privileged-file.
*
* However, the program is run as root and uses access() to verify whether the
* current user has write permission to temporary-file. However, after the check,
* there is a gap before the file is used - during which the attacker deletes
* temporary-file and creates a symlink to privileged-file. This incorrectly
* updates the privileged-file instead of temporary-file.
*/
int main() {
char file_name[] = "temporary-file";
// Check whether the current user has write access to the file.
if (!access(file_name, W_OK)) {
/*
* The attacker requires a window of time between the check and use.
* Even simple, single-threaded applications will have such windows
* as the OS can evict the process at any point as part of its job
* scheduling.
*
* However, let's explicitly add a window to make the demonstration
* simple and reliable.
*/
for (int i = 0; i < 2; i++) {
sleep(5);
printf("Five seconds have passed...\n");
}
/*
* During the gap between check and use, the attacker will create a
* symlink from temporary-file to privileged-file.
*/
FILE *file = fopen(file_name, "w+"); // Symlink resolves to privileged-file
fprintf(file, "Hello, World!\n"); // Updates privileged-file!
} else
printf("Unable to open file %s\n", file_name);
return 0;
}