English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CAPEC-29

Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
HIGH
HIGH
Draft
2014-06-23 00:00 +00:00
2022-09-29 00:00 +00:00
CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.

Informations

Execution Flow

1) Explore

The adversary explores to gauge what level of access they have.

2) Experiment

The adversary confirms access to a resource on the target host. The adversary confirms ability to modify the targeted resource.

3) Exploit

The adversary decides to leverage the race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary can replace the resource and cause an escalation of privilege.

Prerequisites

A resource is access/modified concurrently by multiple processes.
The adversary is able to modify resource.
A race condition exists while accessing a resource.

Skills Required

This attack can get sophisticated since the attack has to occur within a short interval of time.

Mitigations

Use safe libraries to access resources such as files.
Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition.
Use synchronization to control the flow of execution.
Use static analysis tools to find race conditions.
Pay attention to concurrency problems related to the access of resources.

Related Weaknesses

CWE-ID Weakness Name
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.
CWE-368 Context Switching Race Condition
A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.
CWE-366 Race Condition within a Thread
If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
CWE-370 Missing Check for Certificate Revocation after Initial Check
The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
CWE-662 Improper Synchronization
The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
CWE-691 Insufficient Control Flow Management
The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
CWE-663 Use of a Non-reentrant Function in a Concurrent Context
The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.
CWE-665 Improper Initialization
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

References

REF-131

Building Secure Software
J. Viega, G. McGraw.

REF-107

SAMATE - Software Assurance Metrics And Tool Evaluation
Fortify Software.
http://samate.nist.gov/SRD/view_testcase.php?tID=1598

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2017-01-09 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated References
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated @Abstraction
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Example_Instances, Execution_Flow, Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Example_Instances

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.