DragonFly2, Insecure Directory Creation, CVE-2022-39263 (Critical)

Listen to this Post

The vulnerability exploits the os.MkdirAll function’s behavior in Go. This function creates a directory path with the specified permissions but only if it does not already exist. If any directory in the path already exists, os.MkdirAll does not validate or correct its permissions. An attacker can perform a time-of-check-time-of-use (TOCTOU) race condition by pre-creating a directory in a path that DragonFly2 will later use. By setting this directory to world-writable permissions (0777), the attacker gains control over it. When DragonFly2 later writes critical files to this path, the attacker can delete, modify, or forge these files, ultimately leading to arbitrary command execution under the victim’s context.
Platform: DragonFly BSD
Version: < v2.1.0
Vulnerability: Race Condition
Severity: Critical

date: 2022-09-29

Prediction: 2022-10-13

What Undercode Say:

`mkdir -p /tmp/attack-dir && chmod 0777 /tmp/attack-dir`

`inotifywait -m -e create .`

`!/bin/bash

while true; do

if [ ! -d “/target/path” ]; then

mkdir -p /target/path

chmod 0777 /target/path

break

fi

done`

How Exploit:

Local attacker pre-creates directory.

Sets 0777 permissions.

Hijacks file operations.

Achieves arbitrary command execution.

Protection from this CVE

Upgrade to v2.1.0.

Impact:

File Tampering

Privilege Escalation

Arbitrary Code Execution

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top