Listen to this Post
The vulnerability exploits the os.MkdirAll function’s behavior in Go. This function creates a directory path with the specified permissions but only if it does not already exist. If any directory in the path already exists, os.MkdirAll does not validate or correct its permissions. An attacker can perform a time-of-check-time-of-use (TOCTOU) race condition by pre-creating a directory in a path that DragonFly2 will later use. By setting this directory to world-writable permissions (0777), the attacker gains control over it. When DragonFly2 later writes critical files to this path, the attacker can delete, modify, or forge these files, ultimately leading to arbitrary command execution under the victim’s context.
Platform: DragonFly BSD
Version: < v2.1.0
Vulnerability: Race Condition
Severity: Critical
date: 2022-09-29
Prediction: 2022-10-13
What Undercode Say:
`mkdir -p /tmp/attack-dir && chmod 0777 /tmp/attack-dir`
`inotifywait -m -e create .`
`!/bin/bash
while true; do
if [ ! -d “/target/path” ]; then
mkdir -p /target/path
chmod 0777 /target/path
break
fi
done`
How Exploit:
Local attacker pre-creates directory.
Sets 0777 permissions.
Hijacks file operations.
Achieves arbitrary command execution.
Protection from this CVE
Upgrade to v2.1.0.
Impact:
File Tampering
Privilege Escalation
Arbitrary Code Execution
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

