Mastodawn

Alec Muffett Dec 9, 2024

Linux Kernel: TOCTOU in Exec System | …I am sure that there was a vulnerability of this exact kind in Unix circa 1988 +/- 4yrs
https://alecmuffett.com/article/110753
#Cve202443882 #security #setuid #unix

Linux Kernel: TOCTOU in Exec System | …I am sure that there was a vulnerability of this exact kind in Unix circa 1988 +/- 4yrs

I’m pretty sure there was a direct one on the inode permissions, and possibly a second one involving symlinks. Every bug has its day again and again and again. There is a Time-of-Check / Time…

Dropsafe

alecm Dec 9, 2024

Linux Kernel: TOCTOU in Exec System | …I am sure that there was a vulnerability of this exact kind in Unix circa 1988 +/- 4yrs

I’m pretty sure there was a direct one on the inode permissions, and possibly a second one involving symlinks. Every bug has its day again and again and again.

There is a Time-of-Check / Time-of-Use issue in the Linux kernel in the exec system calls. The executability permissions are checked at a different time than the set-user-ID bit is applied. This could lead to privilege escalation.

https://github.com/google/security-research/security/advisories/GHSA-c45w-xwww-rfgg

#CVE202443882 #security #setuid #unix

Linux Kernel: TOCTOU in Exec System

### Summary There is a Time-of-Check / Time-of-Use issue in the Linux kernel in the exec system calls. The executability permissions are checked at a different time than the set-user-ID bit is app...

GitHub