PoC and notes about TOCTOU (race condition) vulnerability in C language and tested on GNU/Linux (Ubuntu 16.04).
This PoC tries to exploit a race condition present in a vulnerable program written in C ("vulp.c"). The race condition is located between the syscalls "access" and "fopen" (time of check/time of use) of the "vulp.c" file. During the time between these two calls, with another program written in C ("attackrace.c") we create a symbolic link associated with the file /tmp/XYZ (created by us) and associate it first with a file of empty text and created by us ("/home/seed/Desktop/test.txt") and then another file (/etc/passwd). The symbolic link is switched infinitely (while(1)) between these two values. Finally, a bash script was written to attack the vulnerable process and check its status (the file is "checkrace.sh"). The objective is to write a new user with the hash value of empty password inside the file "passwd". To do this, I created a single-line file called "valueToAppend" and subsequently its content becomes the input of the vulp file.
Compile the vulp.c:
gcc vulp.c -o vulp
Set the Set-UID on the vulnerable program (in order to execute this process with the root privileges and write inside the /etc/passwd file):
sudo chown root:root vulpsudo chmod 4755 vulp
Compile the attackrace.c:
gcc attackrace.c -o attackracesudo chmod 755 attackrace
To execute the attacks open two terminal tabs and do the following:
./attackrace./checkrace.sh-> in the other tab
I recommend removing the user added to the passwd file at the end of the tests. I also remind you to adapt the files in this PoC to your context (pay attention to filepaths!).
Tipically in newer versions of Linux you have to disable the sticky bits symlink follow protection. In Ubuntu 16.04 sudo systemctl -w fs.protected_symlinks=0. Check online for other versions of GNU/Linux.