 |
» |
|
|
|
The vulnerability addressed by this templateSome attacks use the time between a program’s check of a file and the time that the program uses that file. The race condition is sometimes referred to as the Time-To-Check-To-Time-To-Use (TOCTTOU) vulnerability. For instance, a mail delivery program checks to see if a file exists before it changes ownership of the file to the intended recipient. If an attack can change the file reference between these two steps, it can cause the program to change the ownership of an arbitrary file. Certain TOCTTOU attacks against privileged setuid scripts use the time between the kernel determining that program is a privileged script and spawns an interpreter with privilege, and the interpreter opening the script to execute it. If an attacker can change the file reference between these two steps, it can cause the interpreter to execute an arbitrary script with privilege. An attacker can exploit the vulnerability by repeatedly executing a privileged setuid script with a symbolic link, where the symbolic link is constantly being changed from pointing to the privileged script to pointing to the attacker’s own attack script. Starting with HP-UX 11i v1.6, a kernel tunable parameter called secure_sid_scripts (5) was introduced with a default value that indicates that the setuid and setgid bits on scripts are ignored by the kernel. The vulnerability can also be exploited if the tunable parameter is configured to honor a privileged script’s setuid and setgid bits in favor of compatibility over security. Refer to the secure_sid_scripts (5) for details. How this template addresses the vulnerabilityThe Race Condition template monitors the file accesses that privileged programs make. The template generates an alert if a file reference appears to have unexpectedly changed. This template also monitors the execution of privileged setuid scripts, that are susceptible to a race condition when executed from a symbolic link. Starting with HP-UX 11i v1.6, the setuid bit of a setuid script is ignored if the default value of the secure_sid_scripts tunable kernel parameter is in place. How this template is configuredTable A-6 lists the configurable properties the Race Condition template supports. Table A-6 Race Condition Template Properties | Property | Type | Default Value |
|---|
priv_user_list | III | root | daemon | bin | sys | adm | uucp | lp | nuucp | | pathnames_to_not_watch | I | <empty> | pathnames_1 | II | ^/etc/passwd$ | programs_1 | II | ^/usr/bin/passwd$ & ^/usr/sbin/useradd$ & ^/usr/sbin/userdel$ & ^/usr/sbin/usermod$ | pathnames_X | II | <empty> | programs_X | II | <empty> |
PropertiesThe properties of the Race Condition template are described as follows: - priv_user_list
A list of system-level user IDs or user names. This list contains those users who have elevated access to the system. Removing any of these users mean that an attack against one of them is not detected by this template. Only programs that run with an effective user ID equal to one of the listed uids or corresponds to the one of the listed user names are monitored, and only the execution of setuid scripts owned by a user listed in this property generates an alert. - pathnames_to_not_watch
Path names of programs that can be safely ignored. Any race condition alert for a file whose path name is matched by a regular expression in the pathnames_to_not_watch property is filtered out and not reported. You can use this property to filter alerts generated when a privileged setuid script is executed. You must specify the full path name of the script. - pathnames_X, programs_X
You can use these properties to filter out race condition alerts generated when a specified program modifies the file reference of a privileged program for a particular file. See “Type II: Path Names/Programs Pairs” for a detailed description of these property pairs.
Alerts generated by this templateThe following alerts are generated by the Race Condition template:
File Reference Modification | |
Table A-7 lists the alert properties that the File Reference Modification template generates and forwards to a response program when the file reference in a privileged program is modified unexpectedly. Table A-7 File Reference Modification Alert Properties Response Program Argument | Alert Field | Alert Field Type | Alert Value/Format | Description |
|---|
argv[1] | Template code | Integer | 1 | Unique code assigned to template. | argv[2] | Version | Integer | 3 | Version of the template. | argv[3] | Severity | Integer | 1 | Alert severity. | argv[4] | UTC Time | Integer | <secs> | UTC time in number of seconds since epoch when an unexpected file reference was detected. | argv[5] | Attacker | String | uid=<uid>, gid=<gid>, pid=<pid>, ppid=<ppid> | The user ID, group ID, process ID, and parent process ID of the process, if known, that modified a privileged program’s file reference. All values are set to -1 if the attacker is not known. | argv[6] | Target of Attack | String | file=<full pathname>, type=<type>, mode=<mode>, uid=<uid>, gid=<gid>, inode=<inode>, device=<device> | The full path name of the file whose reference was modified, and the file’s type, mode, uid, gid, inode, and device number | argv[7] | Summary | String | File reference change | Alert summary | argv[8] | Details | String | File reference for file <fullpathname>(type=<type>, inode=<inode>, device=<device), has changed unexpectedly for process with pid <pid> and ppid <ppid> when executing <program>>(type= <type>, inode=<inode>, device=<device>). Attacker is process <pid> when executing <program>>(type=<type>, inode=<inode>, device=<device>). | Detailed alert description | argv[9] | Event | String | null | The event that triggered the alert. |
| | | |  | NOTE: See Table B-1 and Table B-3 Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. | | | | |
Privileged setuid Script Executed | |
This template generates and forwards alerts to a response program when a privileged setuid script is executed (either directly or through a symbolic link) and the kernel has honored the setuid bit. Table A-8 lists the alert properties the Privileged setuid Script Executed template supports. Table A-8 setuid Script Executed Alert Properties Response Program Argument | Alert Field | Alert Field Type | Alert Value/Format | Description |
|---|
argv[1] | Template code | Integer | 1 | Unique code assigned to template | argv[2] | Version | Integer | 3 | Template version | argv[3] | Severity | Integer | 1 if executed via symbolic link; otherwise 2 | Severity alert | argv[4] | UTC time | Integer | <secs> | UTC time in number of seconds since the epoch when a privileged setuid script was executed | argv[5] | Attacker | String | uid=<uid>, gid=<gid>, pid=<pid>, ppid=<ppid> | The user ID, group ID, process ID, and parent process ID of the process that executed a privileged setuid script | argv[6] | Target of Attack | String | file=<full pathname>, type=<type>, mode=<mode>, uid=<uid>, gid=<gid>, inode=<inode>, device=<device> | The full path name of the privileged setuid script and the script’s type mode,uid,gid,inode, and device number | argv[7] | Summary | String | Race condition attack if script is executed from a symbolic link. Otherwise, set to potential race condition attack. | Alert summary | argv[8] | Details | String | User with <uid> running as process with pid<pid> and with parent pid <ppid> is executing the privileged setuid script <full pathname>(type=<type>, inode=<inode>, device=<device), invoked as follows: <argv[0] argv[1]...,[*perhaps*] from a symbolic link. Privileged setuid script owned by a user with uid <uid>. A privileged setuid script is vulnerable to a race condition attack. | Detailed alert description | argv[9] | Event | String | null | The event that triggered the alert. |
| | | | | NOTE: See Table B-1 and Table B-3 in Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. | | | | |
LimitationsThe Race Condition template can be CPU intensive because it monitors all file references on the system. |
Printable version
