Example Sins | Writing Secure Code

The following entries in Common Vulnerabilities and Exposures (CVE) at http:// cve.mitre.org are examples of race conditions.

CVE-2001-1349

From the CVE description:

Sendmail before 8.11.4, and 8.12.0 before 8.12.0.Beta10, allows local users to cause a denial of service and possibly corrupt the heap and gain privileges via race conditions in signal handlers.

This is the signal race condition documented in Zalewskis paper on delivering signals, which we reference earlier. The exploitable condition happens due to a double-free on a global variable that is hit on reentry into the signal handling routine. Although neither the Sendmail advisory, nor the SecurityFocus vulnerability database references publicly available exploit code, its interesting to note that there is a (dead) link to exploit code in the original paper.

CAN-2003-1073

From the CVE description:

A race condition in the at command for Solaris 2.6 through 9 allows local users to delete arbitrary files via the -r argument with .. (dot dot) sequences in the job name , then modifying the directory structure after it checks permissions to delete the file and before the deletion actually takes place.

This exploit is detailed at www.securityfocus.com/archive/1/308577/2003-01-27/ 2003-02-02/0, and it combines a race condition with a failure to properly check that filenames do not contain ../, which would cause the at scheduler to remove files outside of the directory jobs are stored in.

CVE-2000-0849

From the CVE description:

Race condition in Microsoft Windows Media server allows remote attackers to cause a denial of service in the Windows Media Unicast Service via a malformed request, aka the Unicast Service Race Condition vulnerability.

More details on this vulnerability can be found at www.microsoft.com/technet/security/Bulletin/MS00-064.mspx. A malformed request puts the server into a state where subsequent requests result in service failure until the service is restarted.