Compound Element ID: 689 (Compound Element Base: Composite)
Status: Draft
Description
Description Summary
The product, while copying or cloning a resource, does not set
the resource's permissions or access control until the copy is complete, leaving
the resource exposed to other spheres while the copy is taking
place.
database product creates files world-writable
before initializing the setuid bits, leading to modification of
executables.
Other Notes
This is a general issue, although few subtypes are currently known. The
most common examples occur in file archive extraction, in which the product
begins the extraction with insecure default permissions, then only sets the
final permissions (as specified in the archive) once the copy is complete.
The larger the archive, the larger the timing window for the race condition.
This weakness has also occurred in some operating system utilities that
perform copies of deeply nested directories containing a large number of
files.
Weakness Ordinalities
Ordinality
Description
Primary
(where the
weakness exists independent of other weaknesses)
Under-studied. It seems likely that this weakness could occur in any
situation in which a complex or large copy operation occurs, when the
resource can be made available to other spheres as soon as it is created,
but before its initialization is complete.
Incorrect Permission Assignment for Critical Resource
Definition in a New Window
Weakness ID: 732 (Weakness Class)
Status: Draft
Description
Description Summary
The software specifies permissions for a security-critical
resource in a way that allows that resource to be read or modified by unintended
actors.
Extended Description
When a resource is given a permissions setting that provides access to a
wider range of actors than required, it could lead to the disclosure of
sensitive information, or the modification of that resource by unintended
parties. This is especially dangerous when the resource is related to
program configuration, execution or sensitive user data.
Time of Introduction
Architecture and Design
Implementation
Installation
Operation
Applicable Platforms
Languages
All
Likelihood of Exploit
Medium to High
Potential Mitigations
Phase
Description
Architecture and Design
When using a critical resource such as a configuration file, check to
see if the resource has insecure permissions (such as being modifiable
by any regular user), and generate an error or even exit the software if
there is a possibility that the resource could have been modified by an
unauthorized party.
Architecture and Design
Divide your application into anonymous, normal, privileged, and
administrative areas. Reduce the attack surface by carefully defining
distinct user groups, privileges, and/or roles. Map these against data,
functionality, and the related resources. Then set the permissions
accordingly. This will allow you to maintain more fine-grained control
over your resources.
Implementation
During program startup, explicitly set the default permissions or
umask to the most restrictive setting possible. Also set the appropriate
permissions during program installation. This will prevent you from
inheriting insecure permissions from any user who installs or runs the
program.
System Configuration
For all configuration files, executables, and libraries, make sure
that they are only readable and writable by the software's
administrator.
Documentation
Do not suggest insecure configuration changes in your documentation,
especially if those configurations can extend to resources and other
software that are outside the scope of your own software.
Installation
Do not assume that the system administrator will manually change the
configuration to the settings that you recommend in the manual.
Testing
Use tools and techniques that require manual (human) analysis, such as
penetration testing, threat modeling, and interactive tools that allow
the tester to record and modify an active session. These may be more
effective than strictly automated techniques. This is especially the
case with weaknesses that are related to design and business
rules.
Testing
Use monitoring tools that examine the software's process as it
interacts with the operating system and the network. This technique is
useful in cases when source code is unavailable, if the software was not
developed by you, or if you want to verify that the build phase did not
introduce any new weaknesses. Examples include debuggers that directly
attach to the running process; system-call tracing utilities such as
truss (Solaris) and strace (Linux); system activity monitors such as
FileMon, RegMon, Process Monitor, and other Sysinternals utilities
(Windows); and sniffers and protocol analyzers that monitor network
traffic.
Attach the monitor to the process and watch for library functions or
system calls on OS resources such as files, directories, and shared
memory. Examine the arguments to these calls to infer which permissions
are being used.
Note that this technique is only useful for permissions issues related
to system resources. It is not likely to detect application-level
business rules that are related to permissions, such as if a user of a
blog system marks a post as "private," but the blog system inadvertently
marks it as "public."
Testing
System Configuration
Ensure that your software runs properly under the Federal Desktop Core
Configuration (FDCC) or an equivalent hardening configuration guide,
which many organizations use to limit the attack surface and potential
risk of deployed software.
The relationships between privileges, permissions, and actors (e.g. users
and groups) need further refinement within the Research view. One
complication is that these concepts apply to two different pillars, related
to control of resources (CWE-664) and protection mechanism failures
(CWE-396).
Content History
Submissions
Submission Date
Submitter
Organization
Source
2008-09-08
Internal CWE Team
new weakness-focused entry for Research
view.
Modifications
Modification Date
Modifier
Organization
Source
2009-01-12
CWE Content Team
MITRE
Internal
updated Description, Likelihood of Exploit, Name,
Potential Mitigations, Relationships
2009-03-10
CWE Content Team
MITRE
Internal
updated Potential Mitigations,
Related Attack Patterns
The code requires that certain state should not be modified
between two operations, but a timing window exists in which the state can be
modified by an unexpected actor or process.
Extended Description
This can have security implications when the expected synchronization is
in security-critical code, such as recording whether a user is
authenticated, or modifying important state information that should not be
influenced by an outsider.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Architectural Paradigms
Concurrent Systems Operating on Shared Resources: (Often)
Common Consequences
Scope
Effect
Availability
When a race condition makes it possible to bypass a resource cleanup
routine or trigger multiple initialization routines, it may lead to
resource exhaustion (CWE-400).
Availability
When a race condition allows multiple control flows to access a
resource simultaneously, it might lead the program(s) into unexpected
states, possibly resulting in a crash.
Confidentiality
Integrity
When a race condition is combined with predictable resource names and
loose permissions, it may be possible for an attacker to overwrite or
access confidential data (CWE-59).
Likelihood of Exploit
Medium
Demonstrative Examples
Example 1
This code could be used in an e-commerce application that supports
transfers between accounts. It takes the total amount of the transfer, sends
it to the new account, and deducts the amount from the original
account.
(Bad Code)
Perl
$transfer_amount = GetTransferAmount();
$balance = GetBalanceFromDatabase();
if ($transfer_amount < 0) {
FatalError("Bad Transfer Amount");
}
$newbalance = $balance - $transfer_amount;
if (($balance - $transfer_amount) < 0) {
FatalError("Insufficient Funds");
}
SendNewBalanceToDatabase($newbalance);
NotifyUser("Transfer of $transfer_amount succeeded.");
NotifyUser("New balance: $newbalance");
A race condition could occur between the calls to
GetBalanceFromDatabase() and SendNewBalanceToDatabase().
Suppose the same user can invoke this program multiple times
simultaneously, such as by making multiple requests in a web
application. An attack could be constructed as follows:
Suppose the balance is initially 100.00.
The attacker makes two simultaneous calls of the program, CALLER-1
and CALLER-2. Both callers are for the same user account.
CALLER-1 (the attacker) is associated with PROGRAM-1 (the instance
that handles CALLER-1). CALLER-2 is associated with
PROGRAM-2.
CALLER-1 makes a transfer request of 80.00.
PROGRAM-1 calls GetBalanceFromDatabase and sets $balance to
100.00
PROGRAM-1 calculates $newbalance as 20.00, then calls
SendNewBalanceToDatabase().
Due to high server load, the PROGRAM-1 call to
SendNewBalanceToDatabase() encounters a delay.
CALLER-2 makes a transfer request of 1.00.
PROGRAM-2 calls GetBalanceFromDatabase() and sets $balance to
100.00. This happens because the previous PROGRAM-1 request was not
processed yet.
PROGRAM-2 determines the new balance as 99.00.
After the initial delay, PROGRAM-1 commits its balance to the
database, setting it to 20.00.
PROGRAM-2 sends a request to update the database, setting the
balance to 99.00
At this stage, the attacker should have a balance of 19.00 (due to
81.00 worth of transfers), but the balance is 99.00, as recorded in the
database.
To prevent this weakness, the programmer has several options,
including using a lock to prevent multiple simultaneous requests to the
web application, or using a synchronization mechanism that includes all
the code between GetBalanceFromDatabase() and
SendNewBalanceToDatabase().
chain: time-of-check time-of-use (TOCTOU) race
condition in program allows bypass of protection mechanism that was designed
to prevent symlink attacks.
chain: time-of-check time-of-use (TOCTOU) race
condition in program allows bypass of protection mechanism that was designed
to prevent symlink attacks.
chain: race condition allows attacker to access an
object while it is still being initialized, causing software to access
uninitialized memory.
Potential Mitigations
Phase
Description
Architecture and Design
In languages that support it, use synchronization primitives. Only
wrap these around critical code to minimize the impact on
performance.
Architecture and Design
Use thread-safe capabilities such as the data access abstraction in
Spring.
Architecture and Design
Minimize the usage of shared resources in order to remove as much
complexity as possible from the control flow and to reduce the
likelihood of unexpected conditions occurring.
Additionally, this will minimize the amount of synchronization
necessary and may even help to reduce the likelihood of a denial of
service where an attacker may be able to repeatedly trigger a critical
section (CWE-400).
Implementation
When using multi-threading, only use thread-safe functions on shared
variables.
Implementation
Use atomic operations on shared variables. Be wary of innocent-looking
constructs like "x++". This is actually non-atomic, since it involves a
read followed by a write.
Implementation
Use a mutex if available, but be sure to avoid related weaknesses such
as CWE-412.
Implementation
Avoid double-checked locking (CWE-609) and other implementation errors
that arise when trying to avoid the overhead of synchronization.
Implementation
Disable interrupts or signals over critical parts of the code, but
also make sure that the code does not go into a large or infinite
loop.
Implementation
Use the volatile type modifier for critical variables to avoid
unexpected compiler optimization or reordering. This does not
necessarily solve the synchronization problem, but it can help.
Testing
Stress-test the software by calling it simultaneously from a large
number of threads or processes, and look for evidence of any unexpected
behavior. The software's operation may slow down, but it should not
become unstable, crash, or generate incorrect results.
Insert breakpoints or delays in between relevant code statements to
artificially expand the race window so that it will be easier to
detect.
Testing
Identify error conditions that are not likely to occur during normal
usage and trigger them. For example, run the program under low memory
conditions, run with insufficient privileges or permissions, interrupt a
transaction before it is completed, or disable connectivity to basic
network services such as DNS. Monitor the software for any unexpected
behavior. If you trigger an unhandled exception or similar error that
was discovered and handled by the application's environment, it may
still indicate unexpected conditions that were not handled by the
application itself.
Race conditions in web applications are under-studied and probably
under-reported. However, in 2008 there has been growing interest in this
area.
Much of the focus of race condition research has been in Time-of-check
Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are
related to synchronization problems that do not necessarily require a
time-of-check.
Taxonomy Mappings
Mapped Taxonomy Name
Node ID
Fit
Mapped Node Name
PLOVER
Race Conditions
CERT C Secure Coding
FIO31-C
Do not simultaneously open the same file multiple
times
The relationship between race conditions and synchronization problems
(CWE-662) needs to be further developed. They are not necessarily two
perspectives of the same core concept, since synchronization is only one
technique for avoiding race conditions, and synchronization can be used for
other purposes besides race condition prevention.
Content History
Submissions
Submission Date
Submitter
Organization
Source
PLOVER
Externally Mined
Modifications
Modification Date
Modifier
Organization
Source
2008-07-01
Eric Dalci
Cigital
External
updated Time of Introduction
2008-09-08
CWE Content Team
MITRE
Internal
updated Relationships,
Taxonomy Mappings
2008-10-14
CWE Content Team
MITRE
Internal
updated Relationships
2008-11-24
CWE Content Team
MITRE
Internal
updated Relationships,
Taxonomy Mappings
2009-01-12
CWE Content Team
MITRE
Internal
updated Applicable Platforms, Common Consequences,
Demonstrative Examples, Description, Likelihood of Exploit,
Maintenance Notes, Observed Examples, Potential Mitigations, References,
Relationships, Research Gaps
Description
