Compound Element ID: 61 (Compound Element Variant: Composite)
Status: Incomplete
Description
Description Summary
The software, when opening a file or directory, does not
sufficiently account for when the file is a symbolic link that resolves to a
target outside of the intended control sphere. This could allow an attacker to
cause the software to operate on unauthorized files.
Extended Description
A software system that allows UNIX symbolic links (symlink) as part of
paths whether in internal code or through user input can allow an attacker
to spoof the symbolic link and traverse the file system to unintended
locations or access arbitrary files. The symbolic link can permit an
attacker to read/write/corrupt a file that they originally did not have
permissions to access.
Setuid product allows file reading by replacing a
file being edited with a symlink to the targeted file, leaking the result in
error messages when parsing fails.
Symbolic link attacks often occur when a program creates a tmp
directory that stores files/links. Access to the directory should be
restricted to the program as to prevent attackers from manipulating the
files.
Follow the principle of least privilege when assigning access rights
to files. Denying access to a file can prevent an attacker from
replacing that file with a link to a sensitive file. Ensure good
compartmentalization in the system to provide protected areas that can
be trusted.
Symlink vulnerabilities are regularly found in C and shell programs, but
all programming languages can have this problem. Even shell programs are
probably under-reported.
"Second-order symlink vulnerabilities" may exist in programs that invoke
other programs that follow symlinks. They are rarely reported but are likely
to be fairly common when process invocation is used. Reference:
[Christey2005]
This tries to cover various problems in which improper data are
included within a "container."
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Potential Mitigations
Phase
Description
Compartmentalize your system to have "safe" areas where trust
boundaries can be unambiguously drawn. Do not allow sensitive data to go
outside of the trust boundary and always be careful when interfacing
with a compartment outside of the safe area.
The code requires that certain state should not be modified
between two operations, but a timing window exists in which the state can be
modified by an unexpected actor or process.
Extended Description
This can have security implications when the expected synchronization is
in security-critical code, such as recording whether a user is
authenticated, or modifying important state information that should not be
influenced by an outsider.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Architectural Paradigms
Concurrent Systems Operating on Shared Resources: (Often)
Common Consequences
Scope
Effect
Availability
When a race condition makes it possible to bypass a resource cleanup
routine or trigger multiple initialization routines, it may lead to
resource exhaustion (CWE-400).
Availability
When a race condition allows multiple control flows to access a
resource simultaneously, it might lead the program(s) into unexpected
states, possibly resulting in a crash.
Confidentiality
Integrity
When a race condition is combined with predictable resource names and
loose permissions, it may be possible for an attacker to overwrite or
access confidential data (CWE-59).
Likelihood of Exploit
Medium
Demonstrative Examples
Example 1
This code could be used in an e-commerce application that supports
transfers between accounts. It takes the total amount of the transfer, sends
it to the new account, and deducts the amount from the original
account.
(Bad Code)
Perl
$transfer_amount = GetTransferAmount();
$balance = GetBalanceFromDatabase();
if ($transfer_amount < 0) {
FatalError("Bad Transfer Amount");
}
$newbalance = $balance - $transfer_amount;
if (($balance - $transfer_amount) < 0) {
FatalError("Insufficient Funds");
}
SendNewBalanceToDatabase($newbalance);
NotifyUser("Transfer of $transfer_amount succeeded.");
NotifyUser("New balance: $newbalance");
A race condition could occur between the calls to
GetBalanceFromDatabase() and SendNewBalanceToDatabase().
Suppose the same user can invoke this program multiple times
simultaneously, such as by making multiple requests in a web
application. An attack could be constructed as follows:
Suppose the balance is initially 100.00.
The attacker makes two simultaneous calls of the program, CALLER-1
and CALLER-2. Both callers are for the same user account.
CALLER-1 (the attacker) is associated with PROGRAM-1 (the instance
that handles CALLER-1). CALLER-2 is associated with
PROGRAM-2.
CALLER-1 makes a transfer request of 80.00.
PROGRAM-1 calls GetBalanceFromDatabase and sets $balance to
100.00
PROGRAM-1 calculates $newbalance as 20.00, then calls
SendNewBalanceToDatabase().
Due to high server load, the PROGRAM-1 call to
SendNewBalanceToDatabase() encounters a delay.
CALLER-2 makes a transfer request of 1.00.
PROGRAM-2 calls GetBalanceFromDatabase() and sets $balance to
100.00. This happens because the previous PROGRAM-1 request was not
processed yet.
PROGRAM-2 determines the new balance as 99.00.
After the initial delay, PROGRAM-1 commits its balance to the
database, setting it to 20.00.
PROGRAM-2 sends a request to update the database, setting the
balance to 99.00
At this stage, the attacker should have a balance of 19.00 (due to
81.00 worth of transfers), but the balance is 99.00, as recorded in the
database.
To prevent this weakness, the programmer has several options,
including using a lock to prevent multiple simultaneous requests to the
web application, or using a synchronization mechanism that includes all
the code between GetBalanceFromDatabase() and
SendNewBalanceToDatabase().
chain: time-of-check time-of-use (TOCTOU) race
condition in program allows bypass of protection mechanism that was designed
to prevent symlink attacks.
chain: time-of-check time-of-use (TOCTOU) race
condition in program allows bypass of protection mechanism that was designed
to prevent symlink attacks.
chain: race condition allows attacker to access an
object while it is still being initialized, causing software to access
uninitialized memory.
Potential Mitigations
Phase
Description
Architecture and Design
In languages that support it, use synchronization primitives. Only
wrap these around critical code to minimize the impact on
performance.
Architecture and Design
Use thread-safe capabilities such as the data access abstraction in
Spring.
Architecture and Design
Minimize the usage of shared resources in order to remove as much
complexity as possible from the control flow and to reduce the
likelihood of unexpected conditions occurring.
Additionally, this will minimize the amount of synchronization
necessary and may even help to reduce the likelihood of a denial of
service where an attacker may be able to repeatedly trigger a critical
section (CWE-400).
Implementation
When using multi-threading, only use thread-safe functions on shared
variables.
Implementation
Use atomic operations on shared variables. Be wary of innocent-looking
constructs like "x++". This is actually non-atomic, since it involves a
read followed by a write.
Implementation
Use a mutex if available, but be sure to avoid related weaknesses such
as CWE-412.
Implementation
Avoid double-checked locking (CWE-609) and other implementation errors
that arise when trying to avoid the overhead of synchronization.
Implementation
Disable interrupts or signals over critical parts of the code, but
also make sure that the code does not go into a large or infinite
loop.
Implementation
Use the volatile type modifier for critical variables to avoid
unexpected compiler optimization or reordering. This does not
necessarily solve the synchronization problem, but it can help.
Testing
Stress-test the software by calling it simultaneously from a large
number of threads or processes, and look for evidence of any unexpected
behavior. The software's operation may slow down, but it should not
become unstable, crash, or generate incorrect results.
Insert breakpoints or delays in between relevant code statements to
artificially expand the race window so that it will be easier to
detect.
Testing
Identify error conditions that are not likely to occur during normal
usage and trigger them. For example, run the program under low memory
conditions, run with insufficient privileges or permissions, interrupt a
transaction before it is completed, or disable connectivity to basic
network services such as DNS. Monitor the software for any unexpected
behavior. If you trigger an unhandled exception or similar error that
was discovered and handled by the application's environment, it may
still indicate unexpected conditions that were not handled by the
application itself.
Race conditions in web applications are under-studied and probably
under-reported. However, in 2008 there has been growing interest in this
area.
Much of the focus of race condition research has been in Time-of-check
Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are
related to synchronization problems that do not necessarily require a
time-of-check.
Taxonomy Mappings
Mapped Taxonomy Name
Node ID
Fit
Mapped Node Name
PLOVER
Race Conditions
CERT C Secure Coding
FIO31-C
Do not simultaneously open the same file multiple
times
The relationship between race conditions and synchronization problems
(CWE-662) needs to be further developed. They are not necessarily two
perspectives of the same core concept, since synchronization is only one
technique for avoiding race conditions, and synchronization can be used for
other purposes besides race condition prevention.
Content History
Submissions
Submission Date
Submitter
Organization
Source
PLOVER
Externally Mined
Modifications
Modification Date
Modifier
Organization
Source
2008-07-01
Eric Dalci
Cigital
External
updated Time of Introduction
2008-09-08
CWE Content Team
MITRE
Internal
updated Relationships,
Taxonomy Mappings
2008-10-14
CWE Content Team
MITRE
Internal
updated Relationships
2008-11-24
CWE Content Team
MITRE
Internal
updated Relationships,
Taxonomy Mappings
2009-01-12
CWE Content Team
MITRE
Internal
updated Applicable Platforms, Common Consequences,
Demonstrative Examples, Description, Likelihood of Exploit,
Maintenance Notes, Observed Examples, Potential Mitigations, References,
Relationships, Research Gaps
Description
