Race Conditions

Race Conditions

by Michael Sklarewitz


Abstract

A race-condition occurs when a system attempts to perform two or more operations at the same time. A race-condition vulnerability is a flaw that makes it possible for a program to fail to meet its security requirements during a race-condition [1]. An attacker can take advantage of a race-condition vulnerability to gain unauthorized access to a computer network. The impact to a computer network from a race-condition vulnerability may be a denial of service via local system, modification of system information, execution of arbitrary code via local system, root access via local system, modification of user information, and user access via local system. A race-condition vulnerability can also effect individual computers and computer memory. The impact in this type of situation may be a computer crash, an "illegal operation", notification and shutdown of the program, errors reading old data, or errors writing new data. All common operating systems, such as Linux, Unix, Java, MacOS, Windows, etc. have race-condition vulnerabilities [2].


Definition

A race-condition is a situation that occurs when a system attempts to perform two or more operations at the same time, but because of the nature of the system, the operations must be done in the proper sequence in order to be done correctly [3]. One situation where a race-condition may occur would be if two users attempt to access an available channel at the same instant, and neither computer receives notification that the channel is occupied before the system grants access. An attacker can take advantage of a race-condition vulnerability to gain unauthorized access to a computer network. In another situation, a race condition may occur if commands to read and write a large amount of data are received at almost the same instant, and the machine attempts to overwrite some or all of the old data while that old data is still being read. The result may be a computer crash, an "illegal operation", notification and shutdown of the program, errors reading old data, or errors writing new data.

Race conditions can also occur in hardware devices. For example, in a logic gate, a race-condition would occur when certain inputs come into conflict. Because the gate output state takes a finite, nonzero amount of time to react to any change in input states, sensitive circuits or devices following the gate may be fooled by the state of the output, and thereby caused to not operate properly.

Finally, there can also exist physical race-conditions. One frequent example occurs during an employee firing or company layoff. In this case, the computer access privileges are not revoked at the instant of employee notification. Consequently, a malicious attack can occur. Similarly, maintenance access privileges that do not expediently expire also pose as a race-condition vulnerability.


Attacks

Race conditions typically are associated with synchronization errors within a piece of software. An example for UNIX occurs with the mktemp() library call [4]. This condition is a well-known problem, and relatively easy to exploit. It generally runs with extra privilege and a race condition between a file test and a file open can be exploited.

In other cases, a race-condition occurs when two or more software programs are running. One example occurs with Netscape and possibly other browsers derived from Mozilla [5] when running on Microsoft Windows systems. This situation is not known to occur on Linux systems. In this case, Mozilla does not eliminate any active scripts and this allows malicious sites to bypass the security zone. For example, when a user clicks on a link and a new page is being loaded, the previous site is able to launch a JavaScript, and steal cookie information from the new site and return it to the previous site.

Another common example of a race-condition security vulnerability occurs when a system level shell program generates a temporary file with improper protection. These files if caught in time by the attacker can be overwritten and possibly open up security risks. If the attacker can guess what the file name is, he can write a simple program that continuously check for the file and act as soon as the file existence was detected. An example is updatedb crontab-script generates a /tmp/locatedb.XXXX file that is world writeable. The file is later moved without checking to /var/lib/locatedb [6].

Many race-condition vulnerabilities occur within the password subroutine systems of programs. One example of an exploitation of a race-condition vulnerability is the misuse of the program that allows an ordinary user to change their password. This description of the passwd exploit was obtained from [7]. The passwd exploit takes advantage of a race condition between the Linux kernel and the passwd system program. The program allows an ordinary user to provide their current password, along with a new password. It then updates a system-wide database of the user's information so that the database contains the new password. The system-wide database is commonly referred to as the /etc/passwd or the /etc/shadow file. A user does not normally have permission to edit this file, so passwd must run with root privileges in order to modify that file. Normally, the passwd system process performs only a restricted set of actions that consists of editing the /etc/passwd and/or the /etc/shadow file. Because of a race condition in the Linux kernel which allows an unprivileged process to debug a system process, the passwd system process can be made to do more. Using an unprivileged process, an attacker can alter or "debug" the passwd system process and force it to execute a command shell, granting the attacker elevated privileges.

A final example, is with the ptrace program in some Linux distributions [8]. This is vulnerable to a race-condition that could allow a local attacker to gain root privileges. If ptrace is running in the background and a setuid root binary program (such as newgrp which executes a shell) is executed, a local attacker can execute arbitrary code on the system to gain root privileges.


Summary, Conclusions, and Further Work

A race-condition will occur when a system attempts to perform two or more operations at the same time. During a race-condition it is possible for a program's security to be vulnerable. A race-condition vulnerability can effect a host network computer, an single computer, as well as a hardware device. An attacker can take advantage of a race-condition vulnerability to gain unauthorized access and elevated privileges to a computer network. With an access point and elevated privileges, the attacker may perform virtually any malicious event desired. Many on line databases, which monitor security vulnerabilities, list race-condition vulnerabilities and their fixes. A review of the "Exploits" database maintained by SecuriTeam contains 87 listings for race condition vulnerabilities [9]. Similarly, the SecurityFocus Vulnerability Database documents 50 different race-condition vulnerabilities in 2001 and 2002 [10].

Most defenses against race-conditions are to take proper action when know vulnerabilities are published. For example, when a vulnerability becomes known, the features known to be unsafe in that particular environment should be disabled (if possible) or isolated (i.e. to limit access to those processes) until a secure solution is in place. Of course, the testing for faults (or detection before exploitation) should be ongoing. Finally, full and complete documentation of all audits, integrity checking, and implemented solutions to know attack scanning should be kept.


References

[1] Microsoft Security Advisor Program: Glossary of Terms.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/glossary.asp

[2] SecurityTracker is a service operated by SecurityGlobal.net LLC. It keeps track of the latest security vulnerabilities. SecurityTracker monitors a wide variety of Internet sources for reports of new vulnerabilities in Internet software and/or services. It provides a timely and reliable source for vulnerability notification.

http://www.securitytracker.com/topics/topics.html

[3] WHAT IS.COM DEFINITIONS, 2003.

http://searchstorage.techtarget.com/sDefinition/0,,sid5_gci871100,00.html

[4] Simson Garfinkel & Gene Spafford, Practical UNIX & Internet Security, 23.2 Tips on Avoiding Security-related Bugs, Second Edition, April 1996.

http://www.busan.edu/~nic/networking/puis/ch23_02.htm

[5] Liu Die Yu, Mozilla and Netscape race condition, 17 April 2003.

http://www.computercops.biz/article2345.html

[6] COMPUTER SECURITY, Lecture Fourteen, Network Security II, Dr. Richard Spillman, Summer 2002.

http://www.cs.plu.edu/courses/csci490/ComputerSec/notes/sec_l14_2002.ppt

[7] Undermining an Anomaly-Based IntrusionDetection System Using Common Exploits, Tan , Kymie M.C., Killourhy , Kevin S., and Maxion ,Roy A., Computer Science Department, Carnegie-Mellon University, Pittsburgh, PA, USA, 2002.

http://www.cs.cmu.edu/People/maxion/pubs/TanKillourhyMaxion02.pdf

[8] X-Force Database, Internet Security Systems.

http://xforce.iss.net/xforce/xfdb/7311

[9] SecuriTeam is a small group within Beyond Security dedicated to bringing you the latest news and utilities in computer security. It is a central Security web site containing all the newest security information from various mailing lists, hacker channels. etc.

http://www.securiteam.com/exploits/archive.html

[10] SecurityFocus Vulnerability Database operated is Symantec Corporation, 2003.

http://www.securityfocus.com/bid/keyword/