Race conditions can happen when file operations and their associated pre-checks are disconnected. Indeed, while the application assumes that the
checked file property will not change before performing the operation, there is a chance that changes are applied to the file.
Especially, a concurrent process, which an attacker can control, could modify a file right after a check is performed and before the actual use.
This file can be deleted, created, altered, or see its permissions changed depending on the use case.
What is the potential impact?
The impact of a successfully exploited race condition is dependent on the business logic of the vulnerable application. The consequences will vary
depending on what check is performed and how the file is used.
In general, attackers use such attacks to escalate privileges, execute arbitrary code, or perform a denial of service.
Arbitrary code execution
Executable or script file integrity and authenticity checks can be bypassed when exploiting a TOCTOU vulnerability. In such a scenario, attackers
would change an executable file content between when its integrity is checked and when the application executes it.
This attack would allow attackers to trick the application into executing malicious, arbitrary code. They would then be granted the same privilege
levels as the application itself, which can be particularly severe when it runs with administration privileges.
Privileges escalation
When the attacker is a local user on the same server as the running application, the same attack is possible with extended probability. In such a
case, attackers can exploit the reading and writing to configuration files, the creation of local network resources, or the use of temporary files to
achieve the same code execution purpose.
However, in that case, the attack is only meaningful when the application is running with high or otherwise interesting privileges. Attackers
exploiting a TOCTOU vulnerability that way would achieve horizontal or vertical privilege escalation.
Denial of service
When the application expects some file properties to be set at the operation time, it will often face unexpected errors when those properties have
actually changed. This might be the case when writing to a file where newly set permissions forbid that operation or when reading from a deleted
file.
When such errors are faced, the application might unexpectedly stop, which can affect its availability. Depending on the application and hosting
architectures, the interruption can be temporary or permanent, partial or complete.
