Time-of-Check to Time-of-Use (TOCTOU) Race Condition Vulnerabilities

#Note/Permanent #Security/Vulnerabilities/RaceConditions #Programming/Concurrency A Time-of-Check to Time-of-Use (TOCTOU) vulnerability occurs when a program checks the state of a resource (permissions, ownership, file type, or existence) but uses that resource at a later time, creating a time window where an attacker can modify the resource's state between the check and use operations. This class of race condition vulnerability can lead to privilege escalation, unauthorized access, and arbitrary file operations. ## The Vulnerability Mechanism TOCTOU exploits follow this pattern: 1. **Check**: Program validates permissions or state of a resource 2. **Time Window**: Brief period where resource state can change 3. **Use**: Program operates on the resource assuming the check still holds The attacker exploits this time window to modify the resource (via symlinks, file replacement, memory pointer manipulation, etc.), causing the program to operate on an unintended target. When the vulnerable program runs with elevated privileges, this leads to privilege escalation or unauthorized access. ## Simple Vulnerable Patterns ### Pattern 1: Classic File Access Race ```c if (access(argv[1], R_OK) == 0) { // check seteuid(0); // time window FILE *f = fopen(argv[1], "r"); // use copy_to_backup_tape(f); fclose(f); } ``` ### Pattern 2: File Existence Check Race ```c sprintf(log_entry, "# User %s ran: %s\n", username, user_command); if (stat("/tmp/daily_activity.log", &st) == -1) { // check // time window int fd = open("/tmp/daily_activity.log", O_CREAT | O_WRONLY); // use write(fd, log_entry, strlen(log_entry)); close(fd); } ``` ### Pattern 3: Symlink Detection Race ```c if (lstat("/var/log/app.log", &st) == 0 && S_ISLNK(st.st_mode)) { // check unlink("/var/log/app.log"); } // time window int fd = open("/var/log/app.log", O_CREAT | O_WRONLY); // use write(fd, log_line, strlen(log_line)); close(fd); ``` ## Real-World CVE Examples #TODO ### CVE-2024-30088: Windows Kernel Security Attributes TOCTOU ### CVE-2022-1537: GruntJS File Copy TOCTOU ### CVE-2025-11462: AWS Client VPN macOS Log Rotation Race ## Sources - [CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition](https://cwe.mitre.org/data/definitions/367.html) - https://starlabs.sg/blog/2025/07-fooling-the-sandbox-a-chrome-atic-escape/