Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP Host Intrusion Detection System (HIDS)

151

152

153

154

155

156

157

158

159

160

Templates and Alerts

Race Condition Template

Appendix A

141

Race Condition Template

The vulnerability

addressed by this

template

There is a class of attacks that utilize the time between a program’s check of a ﬁle to the

time that program utilizes that ﬁle. The race condition is sometimes referred to as the

Time-To-Check-To-Time-To-Use (TOCTTOU) vulnerability. For instance, a mail delivery

program might check to see if a ﬁle exists before it changes ownership of the ﬁle to the

intended recipient. If an attack is able to change the ﬁle reference between these two

steps, it can cause the program to change the ownership of an arbitrary ﬁle.

There is also a TOCTTOU attack against privileged setuid scripts that utilizes the time

between when the kernel determines the program is a privileged script and spawns an

interpreter with privilege and when the interpreter opens the script to execute it. If an

attacker is able to change the ﬁle reference between these two steps, it can cause the

interpreter to execute an arbitrary script with privilege. An attacker can exploit the

vulnerability by repeatedly executing a privileged setuid script via a symbolic link,

where the symbolic link is constantly being changed from pointing to the privileged

script and the attacker’s own attack script. Starting with HP-UX 11i v1.6, a kernel

tunable called secure_sid_scripts (5) was introduced whose default value indicates

that the setuid and setgid bits on scripts are ignored by the kernel. The vulnerability

can also be exploited if the tunable is conﬁgured to honor a privileged script’s setuid

and setgid bits in favor of compatibility over security. See the secure_sid_scripts (5)

manpage for details.

How this template

addresses the

vulnerability

The Race Condition (RC) template monitors the ﬁle accesses that privileged programs

make, and the template generates an alert if a ﬁle reference appears to have

unexpectedly changed.

This template also monitors the execution of privileged setuid scripts, which are

susceptible to a race condition when executed via a symbolic link. Starting with HP-UX

11i v1.6, the setuid bit of a setuid script is ignored if the default value of the

secure_sid_scripts tunable kernel parameter is in place.

How this template

is conﬁgured

This template supports the following properties:

Table A-6 Template Properties

Name Type Default Value

priv_uid_list III 0 | 1 | 2 | 3 | 4 | 5 | 9 |

pathnames_to_not_watch I <empty>

pathnames_1 II ^/etc/passwd$

programs_1 II ^/usr/bin/passwd$

^/usr/sbin/useradd$

^/usr/sbin/userdel$

^/usr/sbin/usermod$

pathnames_X II <empty>

programs_X II <empty>