Symlink Races

Last term in my Introduction to Computer Systems class we covered synchronization with locks, monitors, condition variables and semaphores. After one lecture on race conditions I asked my professor if it were possible (or common) to exploit race conditions as an attacker. The working example in class was an asynchronous stack and the dangers of multiple threads pushing and popping, a potential consequence of which is dangling pointers. I had wondered if this could be worked into something malicious.

No, I don't think that would be very doable. At least, after some mild discussion with my professor we couldn't think of anything. That's partly because race conditions are highly unpredictable by nature, so it would be hard enough to use a race condition for an exploit period but even harder on some data structure that is constantly changing.

After a little searching I stumbled across an assignment PDF from some university dealing with race conditions and security: using a symlink race to gain escalated write permission.

Generally speaking, suppose we know a program has privileged permissions and adds a users input to a file. If the output file doesn't exist and/or the user can edit this file, they can create a symbolic link to some other file. For example, if the program creates a file temp_log.txt that stores the user's input before writing it (perhaps doing some intermediate processing) we have a condidate for a symlink exploit. If we can time our creation of the symlink to be just after the program opens the write stream we can (theoretically) have the program write to whatever file we linked it to.

Now suppose we know the program writes in append mode. It would be really interesting if we created a symlink from temp_log.txt to /etc/shadow and entered something juicy:

wupool:Ep6mckrOLChF.:10063:0:99999:7:::

The race aspect has to do with our timing of the symlink creation. If we're too early the program probably exits with an error because we shouldn't be accessing such a privileged file, and if we're too late then there's no link created. I haven't implemented anything so I don't know how hard this would be to do, or even how realistic it is, but I thought it's a really cool little trick. Even cooler is that it came about because of something I learned in class.

Posted on 2012-03-04