[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97559

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Permission Race Condition During Resource Copy

ID: 689Date: (C)2012-05-14   (M)2012-11-08
Type: compound elementStatus: DRAFT
Abstraction Type: Base





Description

The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.

Applicable Platforms
Language: C
Language: Perl

Time Of Introduction

  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
Integrity
 
Read application data
Modify application data
 
 

Detection Methods
None

Potential Mitigations
None

Relationships

Related CWETypeViewChain
CWE-689 Requires CWE-732 Weakness CWE-1000  

Demonstrative Examples
None

Observed Examples

  1. CVE-2002-0760 : Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified.
  2. CVE-2005-2174 : Product inserts a new object into database before setting the object's permissions, introducing a race condition.
  3. CVE-2006-5214 : error file has weak permissions before a chmod is performed.
  4. CVE-2005-2475 : Archive permissions issue using hard link.
  5. CVE-2003-0265 : database product creates files world-writable before initializing the setuid bits, leading to modification of executables.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:

  1. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 9, "Permission Races", Page 533.'. Published on 2006.

© 2013 SecPod Technologies