Templates and Alerts
Race Condition Template
| Race Condition Template |
| ||
The vulnerability | There is a class of attacks that utilize the time between a program’s check of a file to the | |||
addressed by this | time that program utilizes that file. The race condition is sometimes referred to as the | |||
template | ||||
| program might check to see if a file exists before it changes ownership of the file to the | |||
| intended recipient. If an attack is able to change the file reference between these two | |||
| steps, it can cause the program to change the ownership of an arbitrary file. | |||
| There is also a TOCTTOU attack against privileged setuid scripts that utilizes the time | |||
| between when the kernel determines the program is a privileged script and spawns an | |||
| interpreter with privilege and when the interpreter opens the script to execute it. If an | |||
| attacker is able to change the file reference between these two steps, it can cause the | |||
| interpreter to execute an arbitrary script with privilege. An attacker can exploit the | |||
| vulnerability by repeatedly executing a privileged setuid script via a symbolic link, | |||
| where the symbolic link is constantly being changed from pointing to the privileged | |||
| script and the attacker’s own attack script. Starting with | |||
| tunable called secure_sid_scripts (5) was introduced whose default value indicates | |||
| that the setuid and setgid bits on scripts are ignored by the kernel. The vulnerability | |||
| can also be exploited if the tunable is configured to honor a privileged script’s setuid | |||
| and setgid bits in favor of compatibility over security. See the secure_sid_scripts (5) | |||
| manpage for details. |
|
|
|
How this template | The Race Condition (RC) template monitors the file accesses that privileged programs | |||
addresses the | make, and the template generates an alert if a file reference appears to have | |||
vulnerability | unexpectedly changed. |
|
|
|
| This template also monitors the execution of privileged setuid scripts, which are | |||
| susceptible to a race condition when executed via a symbolic link. Starting with | |||
| 11i v1.6, the setuid bit of a setuid script is ignored if the default value of the | |||
| secure_sid_scripts tunable kernel parameter is in place. |
| ||
How this template | This template supports the following properties: |
| ||
is configured |
|
|
|
|
Table | Template Properties |
|
|
|
|
|
|
|
|
| Name | Type |
| Default Value |
|
|
|
|
|
| priv_uid_list | III |
| 0 1 2 3 4 5 9 |
|
|
|
| 11 |
|
|
|
|
|
| pathnames_to_not_watch | I |
| <empty> |
|
|
|
|
|
| pathnames_1 | II |
| ^/etc/passwd$ |
|
|
|
|
|
| programs_1 | II |
| ^/usr/bin/passwd$ |
|
|
|
| ^/usr/sbin/useradd$ |
|
|
|
| ^/usr/sbin/userdel$ |
|
|
|
| ^/usr/sbin/usermod$ |
|
|
|
|
|
| pathnames_X | II |
| <empty> |
|
|
|
|
|
| programs_X | II |
| <empty> |
|
|
|
|
|
Appendix A | 141 |
