Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

C static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C code

Accessing files should not introduce TOCTOU vulnerabilities

intentionality - logical

security

Vulnerability

CriticalSonarSource default severity
click to learn more

When an application manipulates files, "Time-Of-Check to Time-Of-Use" can occur when a file-checking operation is disconnected from the actual operation it is bound to.

For example, such a vulnerability occurs when a file existence check is performed strictly before a file creation operation.

Why is this an issue?

How can I fix it?

More Info

Race conditions can happen when file operations and their associated pre-checks are disconnected. Indeed, while the application assumes that the checked file property will not change before performing the operation, there is a chance that changes are applied to the file.

Especially, a concurrent process, which an attacker can control, could modify a file right after a check is performed and before the actual use. This file can be deleted, created, altered, or see its permissions changed depending on the use case.

What is the potential impact?

The impact of a successfully exploited race condition is dependent on the business logic of the vulnerable application. The consequences will vary depending on what check is performed and how the file is used.

In general, attackers use such attacks to escalate privileges, execute arbitrary code, or perform a denial of service.

Arbitrary code execution

Executable or script file integrity and authenticity checks can be bypassed when exploiting a TOCTOU vulnerability. In such a scenario, attackers would change an executable file content between when its integrity is checked and when the application executes it.

This attack would allow attackers to trick the application into executing malicious, arbitrary code. They would then be granted the same privilege levels as the application itself, which can be particularly severe when it runs with administration privileges.

Privileges escalation

When the attacker is a local user on the same server as the running application, the same attack is possible with extended probability. In such a case, attackers can exploit the reading and writing to configuration files, the creation of local network resources, or the use of temporary files to achieve the same code execution purpose.

However, in that case, the attack is only meaningful when the application is running with high or otherwise interesting privileges. Attackers exploiting a TOCTOU vulnerability that way would achieve horizontal or vertical privilege escalation.

Denial of service

When the application expects some file properties to be set at the operation time, it will often face unexpected errors when those properties have actually changed. This might be the case when writing to a file where newly set permissions forbid that operation or when reading from a deleted file.

When such errors are faced, the application might unexpectedly stop, which can affect its availability. Depending on the application and hosting architectures, the interruption can be temporary or permanent, partial or complete.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Developer
Edition

In-IDE

SaaS

Self-Hosted