Race Conditions
CAN-2003-1073
A race condition at the command for Solaris 2.6 through 9 allows local users to delete arbitrary files vie the -r argument with .. sequences in the job name, then modify the directory structure after it check permissions to delete the file and before the deletion actually takes place
CVE-2008-2958
CheckInstall could allow a local attacker to launch a symlink attack caused by an error in the CheckInstall and InstallWatch scripts. Certain directories are created with insecure permissions
CWE-368
Context Switching Race Condition
Race Conditions Summary
Do write code that doesn't depend on side effects Do be very careful when writing signal handlers Do NOT modify global resources without locking Consider writing temporary files into a per-user store instead of a world-writable space
Race Condition Explained
If a function is non-reetrant, and two threads are in the function at once, then things are going to break Checking if a file exists can allow the attacker to create a file in between checking and opening the file, allowing the attacker to open a malicious file
Race Condition Redemption Steps
Understand how to correctly write reentrant code even if the application won't be running in a threaded environment Locking shared resources If you're executing a signal handler or exception handler, the only really safe thing to do may be to exit()
Spotting the Race ConditionSin During Code Review
Look at the code and at the library functions that you call. Nonreentrant code will manipulate variables declared outside of local scope If you are able to change the information in a noncontrolled manner. Look for processes external to your own interfacing with your process. Look for file and directory creating in publicly writable areas and the use of predictable filenames Look for any case of where files are created in a shared directory Never depend on routines to create a "new" filename
Spotting the Race Condition Sin Pattern
More than one thread or process must write to the same resource Creating files or directories in common areas Signal Handlers Nonreentrant functions in a multithreaded application or a signal handler. Note that signals are close to useless on a Windows system are aren't susceptible to this problem
CWE-362
Race Condition (parent)
CWE-421
Race Condition During Access to Alternate Channel
CWE-366
Race Condition Within a Thread
CWE-370
Race Condition in Checking for Certificate Revocation
CWE-365
Race Condition in Switch
CVE-2000-0849
Race condition in Microsoft windows media server allows remote attackers to cause a DoS in the Windows Media Unicast Service via malformed request aka "Unicast Service Race Condition" vulnerability
CVE-2008-0379
Race condition in the enterprise tree activeX control in Crystal Reports IX Release 2 allows remote attackers to cause a DoS and possibly execute arbitrary code via SelectedSession method
Testing Techniques to Find the Sin
Run the tests on a fast multiprocessor system - if you start seeing crashes you can't produce on a single-processor system them you almost certainly found a race condition To find signal-handling problems, create an application to send signals closely together to the suspect application, and see if crashed can be made to occur In order to find temp file races, enable logging on you file system and look for predictable names being created in public directories
CVE-2001-1349
Sendmail before 8.11.4, 8.12.0, and 8.12.0Beta10 allows local usese to create DoS and possibly corrupt the heap and gain privileges via race conditions in signal handlers
CWE-364
Signal Handler Race Condition
CWE-367
Time-of-Check Time-of-User (TOCTOU) Race Condition