A race-condition occurs when a system attempts to perform
two or more operations at the same time. A race-condition vulnerability is a
flaw that makes it possible for a program to fail to meet its security
requirements during a race-condition [1]. An
attacker can take advantage of a race-condition vulnerability to gain
unauthorized access to a computer network. The impact to a computer network
from a race-condition vulnerability may be a denial of service via local
system, modification of system information, execution of arbitrary code via
local system, root access via local system, modification of user
information, and user access via local system. A race-condition
vulnerability can also effect individual computers and computer memory. The
impact in this type of situation may be a computer crash, an "illegal
operation", notification and shutdown of the program, errors reading old
data, or errors writing new data. All common operating systems, such as
Linux, Unix, Java, MacOS, Windows, etc. have race-condition vulnerabilities
[2].
A race-condition is a situation that occurs when a system
attempts to perform two or more operations at the same time, but because of
the nature of the system, the operations must be done in the proper sequence
in order to be done correctly [3]. One situation
where a race-condition may occur would be if two users attempt to access an
available channel at the same instant, and neither computer receives
notification that the channel is occupied before the system grants access.
An attacker can take advantage of a race-condition vulnerability to gain
unauthorized access to a computer network. In another situation, a race
condition may occur if commands to read and write a large amount of data are
received at almost the same instant, and the machine attempts to overwrite
some or all of the old data while that old data is still being read. The
result may be a computer crash, an "illegal operation", notification and
shutdown of the program, errors reading old data, or errors writing new
data.
Race conditions can also occur in hardware devices. For example, in a
logic gate, a race-condition would occur when certain inputs come into
conflict. Because the gate output state takes a finite, nonzero amount of
time to react to any change in input states, sensitive circuits or devices
following the gate may be fooled by the state of the output, and thereby
caused to not operate properly.
Finally, there can also exist physical race-conditions. One frequent
example occurs during an employee firing or company layoff. In this case,
the computer access privileges are not revoked at the instant of employee
notification. Consequently, a malicious attack can occur. Similarly,
maintenance access privileges that do not expediently expire also pose as a
race-condition vulnerability.
Race conditions typically are associated with
synchronization errors within a piece of software. An example for UNIX
occurs with the mktemp() library call [4]. This
condition is a well-known problem, and relatively easy to exploit. It
generally runs with extra privilege and a race condition between a file test
and a file open can be exploited.
In other cases, a race-condition occurs when two or more software
programs are running. One example occurs with Netscape and possibly other
browsers derived from Mozilla [5] when running on
Microsoft Windows systems. This situation is not known to occur on Linux
systems. In this case, Mozilla does not eliminate any active scripts and
this allows malicious sites to bypass the security zone. For example, when a
user clicks on a link and a new page is being loaded, the previous site is
able to launch a JavaScript, and steal cookie information from the new site
and return it to the previous site.
Another common example of a race-condition security vulnerability occurs
when a system level shell program generates a temporary file with improper
protection. These files if caught in time by the attacker can be overwritten
and possibly open up security risks. If the attacker can guess what the file
name is, he can write a simple program that continuously check for the file
and act as soon as the file existence was detected. An example is updatedb
crontab-script generates a /tmp/locatedb.XXXX file that is world writeable.
The file is later moved without checking to /var/lib/locatedb [6].
Many race-condition vulnerabilities occur within the password subroutine
systems of programs. One example of an exploitation of a race-condition
vulnerability is the misuse of the program that allows an ordinary user to
change their password. This description of the passwd exploit was obtained
from [7]. The passwd exploit takes advantage of a
race condition between the Linux kernel and the passwd system program. The
program allows an ordinary user to provide their current password, along
with a new password. It then updates a system-wide database of the user's
information so that the database contains the new password. The system-wide
database is commonly referred to as the /etc/passwd or the /etc/shadow file.
A user does not normally have permission to edit this file, so passwd must
run with root privileges in order to modify that file. Normally, the passwd
system process performs only a restricted set of actions that consists of
editing the /etc/passwd and/or the /etc/shadow file. Because of a race
condition in the Linux kernel which allows an unprivileged process to debug
a system process, the passwd system process can be made to do more. Using an
unprivileged process, an attacker can alter or "debug" the passwd system
process and force it to execute a command shell, granting the attacker
elevated privileges.
A final example, is with the ptrace program in some Linux distributions
[8]. This is vulnerable to a race-condition that
could allow a local attacker to gain root privileges. If ptrace is running
in the background and a setuid root binary program (such as newgrp which
executes a shell) is executed, a local attacker can execute arbitrary code
on the system to gain root privileges.
A race-condition will occur when a system attempts to
perform two or more operations at the same time. During a race-condition it
is possible for a program's security to be vulnerable. A race-condition
vulnerability can effect a host network computer, an single computer, as
well as a hardware device. An attacker can take advantage of a
race-condition vulnerability to gain unauthorized access and elevated
privileges to a computer network. With an access point and elevated
privileges, the attacker may perform virtually any malicious event desired.
Many on line databases, which monitor security vulnerabilities, list
race-condition vulnerabilities and their fixes. A review of the "Exploits"
database maintained by SecuriTeam contains 87 listings for race condition
vulnerabilities [9]. Similarly, the SecurityFocus
Vulnerability Database documents 50 different race-condition vulnerabilities
in 2001 and 2002 [10].
Most defenses against race-conditions are to take proper action when
know vulnerabilities are published. For example, when a vulnerability
becomes known, the features known to be unsafe in that particular
environment should be disabled (if possible) or isolated (i.e. to limit
access to those processes) until a secure solution is in place. Of course,
the testing for faults (or detection before exploitation) should be ongoing.
Finally, full and complete documentation of all audits, integrity checking,
and implemented solutions to know attack scanning should be kept.
[1] Microsoft Security Advisor Program: Glossary of Terms.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/glossary.asp http://www.securitytracker.com/topics/topics.html[3] WHAT IS.COM DEFINITIONS, 2003.
http://searchstorage.techtarget.com/sDefinition/0,,sid5_gci871100,00.html http://www.busan.edu/~nic/networking/puis/ch23_02.htm[5] Liu Die Yu, Mozilla and Netscape race condition, 17 April 2003.
http://www.computercops.biz/article2345.html[6] COMPUTER SECURITY, Lecture Fourteen, Network Security II, Dr. Richard Spillman, Summer 2002.
http://www.cs.plu.edu/courses/csci490/ComputerSec/notes/sec_l14_2002.ppt http://www.cs.cmu.edu/People/maxion/pubs/TanKillourhyMaxion02.pdf[8] X-Force Database, Internet Security Systems.
http://xforce.iss.net/xforce/xfdb/7311 http://www.securiteam.com/exploits/archive.html[10] SecurityFocus Vulnerability Database operated is Symantec Corporation, 2003.
http://www.securityfocus.com/bid/keyword/