HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

Race Condition Template

The vulnerability addressed by this template

Some attacks use the time between a program’s check of a file and the time that the

program uses that file. The race condition is sometimes referred to as the

Time-To-Check-To-Time-To-Use (TOCTTOU) vulnerability. For instance, a mail delivery

program checks to see if a file exists before it changes ownership of the file to the

intended recipient. If an attack can change the file reference between these two steps,

it can cause the program to change the ownership of an arbitrary file.

Certain TOCTTOU attacks against privileged setuid scripts use the time between the

kernel determining that program is a privileged script and spawns an interpreter with

privilege, and the interpreter opening the script to execute it. If an attacker can change

the file reference between these two steps, it can cause the interpreter to execute an

arbitrary script with privilege. An attacker can exploit the vulnerability by repeatedly

executing a privileged setuid script with a symbolic link, where the symbolic link is

constantly being changed from pointing to the privileged script to pointing to the

attacker’s own attack script. Starting with HP-UX 11i v1.6, a kernel tunable parameter

called secure_sid_scripts (5) was introduced with a default value that indicates

that the setuid and setgid bits on scripts are ignored by the kernel. The vulnerability

can also be exploited if the tunable parameter is configured to honor a privileged script’s

setuid and setgid bits in favor of compatibility over security. Refer to the

secure_sid_scripts (5) for details.

How this template addresses the vulnerability

The Race Condition template monitors the file accesses that privileged programs make.

The template generates an alert if a file reference appears to have unexpectedly changed.

This template also monitors the execution of privileged setuid scripts, that are

susceptible to a race condition when executed from a symbolic link. Starting with

HP-UX 11i v1.6, the setuid bit of a setuid script is ignored if the default value of

the secure_sid_scripts tunable kernel parameter is in place.

How this template is configured

Table A-6 lists the configurable properties the Race Condition template supports.

Table A-6 Race Condition Template Properties

Default ValueTypeProperty

root | daemon | bin | sys | adm |

uucp | lp | nuucp

III

priv_user_list

<empty>I

pathnames_to_not_watch

^/etc/passwd$II

pathnames_1

152 Templates and Alerts