centos 6
race weakness #6

5

Weakness Breakdown


Definition:

A race condition exists when parallel code accesses shared data without proper coordination. An attack that uses a race-condition weakness takes advantage of the unsafe data access to manipulate how one of the parallel sections of code reacts. Even though each process runs as intended, the outcome is unexpected. For example, consider a bank service that depends on an encryption key that it reads from a known location. An independent cryptography service is responsible for generating the key and placing it where the bank is expected to read it in a timely manner. If the bank and cryptography services do not coordinate with each other, then the bank may read a blank encryption key before cryptography writes the key to the location. This can effectively turn off all encryption for the bank without either service, or the administrator, knowing that something has gone wrong.

Warning code(s):

This accepts filename arguments; if an attacker can move those files, a race condition results..

File Name:

kdelibs-4.3.4/kpty/kpty.cpp

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 race weakness.

       d->masterFd = KDE_open(ptyName.data(), O_RDWR);
      if (d->masterFd >= 0)
      {
#ifdef Q_OS_SOLARIS
        /* Need to check the process group of the pty.
         * If it exists, then the slave pty is in use,
         * and we need to get another one.
         */
        int pgrp_rtn;
        if (ioctl(d->masterFd, TIOCGPGRP, &pgrp_rtn) == 0 || errno != EIO) {
          ::close(d->masterFd);
          d->masterFd = -1;
          continue;
        }
#endif /* Q_OS_SOLARIS */
        if (!access(d->ttyName.data(),R_OK|W_OK)) // checks availability based on permission bits
        {
          if (!geteuid())
          {
            struct group* p = getgrnam(TTY_GROUP);
            if (!p)
              p = getgrnam("wheel");
            gid_t gid = p ? p->gr_gid : getgid ();

            chown(d->ttyName.data(), getuid(), gid);
            chmod(d->ttyName.data(), S_IRUSR|S_IWUSR|S_IWGRP);
          }
          goto gotpty;
        }
        ::close(d->masterFd);
        d->masterFd = -1;
      }
    }
  }

  kWarning(175) << "Can't open a pseudo teletype";
  return false;

 gotpty:
  KDE_struct_stat st;
  if (KDE_stat(d->ttyName.data(), &st))
    return false; // this just cannot happen ... *cough*  Yeah right, I just
                  // had it happen when pty #349 was allocated.  I guess
                  // there was some sort of leak?  I only had a few open.
  if (((st.st_uid != getuid()) ||
       (st.st_mode & (S_IRGRP|S_IXGRP|S_IROTH|S_IWOTH|S_IXOTH))) &&
      !d->chownpty(true))
  {
    kWarning(175)
      << "chownpty failed for device " << ptyName << "::" << d->ttyName 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.