实验环境
:)uname -a
Linux book-desktop 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux
TOCTTOU描述(引用自APUE)
The basic idea behind TOCTTOU errors is that a program is vulnerable if it makes
two file-based function calls where the second call depends on the results of the first
call. Because the two calls are not atomic, the file can change between the two calls,
thereby invalidating the results of the first call, leading to a program error. TOCTTOU
errors in the file system namespace generally deal with attempts to subvert file system
permissions by tricking a privileged program into either reducing permissions on a
privileged file or modifying a privileged file to open up a security hole. Wei and Pu
[2005] discuss TOCTTOU weaknesses in the UNIX file system interface.
代码测试
/* @file main.c */
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#define EXEF "test"
void main()
{
int fd;
int ret;
char *argv[]={EXEF,NULL};
char *env[]={NULL};
fd=open(EXEF,O_RDONLY);
if(fd<0)
{
printf("open error\n");
}
getc(stdin);/* 在这里等待,期间我们可以替换EXEF文件内容 */
fexecve(fd,argv,env);
printf("fexecve error:%d\n",errno);
}
>gcc -o main main.c
编译main.c得到main执行文件。
/* @file testA.c */
void main()
{
printf("this is correct test file\n");
}
>gcc -o testA testA.c
编译testA.c得到testA执行文件。
/* @file testB.c */
void main()
{
printf("this is malicious test file\n");
}
>gcc -o testB testB.c
编译testB.c得到testB执行文件。
>copy testA test
复制testA为test文件。
>./main
执行main文件。
切换到另一个控制台,替换test内容。
>copy testB test
切回到原来的控制台。
直接输入回车。
程序输出结果:
this is malicious test file