A race-condition occurs when a system attempts to perform
two or more operations at the same time. A race-condition vulnerability is a
flaw that makes it possible for a program to fail to meet its security
requirements during a race-condition . An
attacker can take advantage of a race-condition vulnerability to gain
unauthorized access to a computer network. The impact to a computer network
from a race-condition vulnerability may be a denial of service via local
system, modification of system information, execution of arbitrary code via
local system, root access via local system, modification of user
information, and user access via local system. A race-condition
vulnerability can also effect individual computers and computer memory. The
impact in this type of situation may be a computer crash, an "illegal
operation", notification and shutdown of the program, errors reading old
data, or errors writing new data. All common operating systems, such as
Linux, Unix, Java, MacOS, Windows, etc. have race-condition vulnerabilities
A race-condition is a situation that occurs when a system
attempts to perform two or more operations at the same time, but because of
the nature of the system, the operations must be done in the proper sequence
in order to be done correctly . One situation
where a race-condition may occur would be if two users attempt to access an
available channel at the same instant, and neither computer receives
notification that the channel is occupied before the system grants access.
An attacker can take advantage of a race-condition vulnerability to gain
unauthorized access to a computer network. In another situation, a race
condition may occur if commands to read and write a large amount of data are
received at almost the same instant, and the machine attempts to overwrite
some or all of the old data while that old data is still being read. The
result may be a computer crash, an "illegal operation", notification and
shutdown of the program, errors reading old data, or errors writing new
Race conditions can also occur in hardware devices. For example, in a logic gate, a race-condition would occur when certain inputs come into conflict. Because the gate output state takes a finite, nonzero amount of time to react to any change in input states, sensitive circuits or devices following the gate may be fooled by the state of the output, and thereby caused to not operate properly.
Finally, there can also exist physical race-conditions. One frequent example occurs during an employee firing or company layoff. In this case, the computer access privileges are not revoked at the instant of employee notification. Consequently, a malicious attack can occur. Similarly, maintenance access privileges that do not expediently expire also pose as a race-condition vulnerability.
Race conditions typically are associated with
synchronization errors within a piece of software. An example for UNIX
occurs with the mktemp() library call . This
condition is a well-known problem, and relatively easy to exploit. It
generally runs with extra privilege and a race condition between a file test
and a file open can be exploited.
Another common example of a race-condition security vulnerability occurs when a system level shell program generates a temporary file with improper protection. These files if caught in time by the attacker can be overwritten and possibly open up security risks. If the attacker can guess what the file name is, he can write a simple program that continuously check for the file and act as soon as the file existence was detected. An example is updatedb crontab-script generates a /tmp/locatedb.XXXX file that is world writeable. The file is later moved without checking to /var/lib/locatedb .
Many race-condition vulnerabilities occur within the password subroutine systems of programs. One example of an exploitation of a race-condition vulnerability is the misuse of the program that allows an ordinary user to change their password. This description of the passwd exploit was obtained from . The passwd exploit takes advantage of a race condition between the Linux kernel and the passwd system program. The program allows an ordinary user to provide their current password, along with a new password. It then updates a system-wide database of the user's information so that the database contains the new password. The system-wide database is commonly referred to as the /etc/passwd or the /etc/shadow file. A user does not normally have permission to edit this file, so passwd must run with root privileges in order to modify that file. Normally, the passwd system process performs only a restricted set of actions that consists of editing the /etc/passwd and/or the /etc/shadow file. Because of a race condition in the Linux kernel which allows an unprivileged process to debug a system process, the passwd system process can be made to do more. Using an unprivileged process, an attacker can alter or "debug" the passwd system process and force it to execute a command shell, granting the attacker elevated privileges.
A final example, is with the ptrace program in some Linux distributions . This is vulnerable to a race-condition that could allow a local attacker to gain root privileges. If ptrace is running in the background and a setuid root binary program (such as newgrp which executes a shell) is executed, a local attacker can execute arbitrary code on the system to gain root privileges.
A race-condition will occur when a system attempts to
perform two or more operations at the same time. During a race-condition it
is possible for a program's security to be vulnerable. A race-condition
vulnerability can effect a host network computer, an single computer, as
well as a hardware device. An attacker can take advantage of a
race-condition vulnerability to gain unauthorized access and elevated
privileges to a computer network. With an access point and elevated
privileges, the attacker may perform virtually any malicious event desired.
Many on line databases, which monitor security vulnerabilities, list
race-condition vulnerabilities and their fixes. A review of the "Exploits"
database maintained by SecuriTeam contains 87 listings for race condition
vulnerabilities . Similarly, the SecurityFocus
Vulnerability Database documents 50 different race-condition vulnerabilities
in 2001 and 2002 .
Most defenses against race-conditions are to take proper action when know vulnerabilities are published. For example, when a vulnerability becomes known, the features known to be unsafe in that particular environment should be disabled (if possible) or isolated (i.e. to limit access to those processes) until a secure solution is in place. Of course, the testing for faults (or detection before exploitation) should be ongoing. Finally, full and complete documentation of all audits, integrity checking, and implemented solutions to know attack scanning should be kept.
 Microsoft Security Advisor Program: Glossary of Terms.http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/glossary.asp
 SecurityTracker is a service operated by SecurityGlobal.net LLC. It keeps track of the latest security vulnerabilities. SecurityTracker monitors a wide variety of Internet sources for reports of new vulnerabilities in Internet software and/or services. It provides a timely and reliable source for vulnerability notification.http://www.securitytracker.com/topics/topics.html
 WHAT IS.COM DEFINITIONS, 2003.http://searchstorage.techtarget.com/sDefinition/0,,sid5_gci871100,00.html
 Simson Garfinkel & Gene Spafford, Practical UNIX & Internet Security, 23.2 Tips on Avoiding Security-related Bugs, Second Edition, April 1996.http://www.busan.edu/~nic/networking/puis/ch23_02.htm
 Liu Die Yu, Mozilla and Netscape race condition, 17 April 2003.http://www.computercops.biz/article2345.html
 COMPUTER SECURITY, Lecture Fourteen, Network Security II, Dr. Richard Spillman, Summer 2002.http://www.cs.plu.edu/courses/csci490/ComputerSec/notes/sec_l14_2002.ppt
 Undermining an Anomaly-Based IntrusionDetection System Using Common Exploits, Tan , Kymie M.C., Killourhy , Kevin S., and Maxion ,Roy A., Computer Science Department, Carnegie-Mellon University, Pittsburgh, PA, USA, 2002.http://www.cs.cmu.edu/People/maxion/pubs/TanKillourhyMaxion02.pdf
 X-Force Database, Internet Security Systems.http://xforce.iss.net/xforce/xfdb/7311
 SecuriTeam is a small group within Beyond Security dedicated to bringing you the latest news and utilities in computer security. It is a central Security web site containing all the newest security information from various mailing lists, hacker channels. etc.http://www.securiteam.com/exploits/archive.html
 SecurityFocus Vulnerability Database operated is Symantec Corporation, 2003.http://www.securityfocus.com/bid/keyword/