ctfwriteup
  • āœ…/home/ret2basic.eth
  • Game Hacking
    • šŸ‘‘Pwn Adventure 3: Pwnie Island
      • āœ…Prep: Speed Hack
      • āœ…Prep: Infinite Health and Mana (Offline)
      • āœ…Prep: Analyze Network Packets with Wireshark
      • Prep: Build a Proxy in Python
      • āœ…Until the Cows Come Home
      • Unbearable Revenge
      • Pirate's Treasure
    • Cheat Engine Tutorial
      • āœ…Step 1: Setup
      • āœ…Step 2: Scan for "Exact Value"
      • āœ…Step 3: Scan for "Unknown initial value"
      • āœ…Step 4: Scan for float and double
      • āœ…Step 5: Replace instruction
      • Step 6: Pointer scanning
      • Step 7: Code injection
      • Step 8: Multilevel pointers
      • Step 9: Shared code
  • Web3 CTF
    • šŸ‘‘Remedy CTF 2025 (Todo)
      • Diamond Heist
      • R vs Q
      • Rich Man's Bet
      • Casino Avengers
      • Frozen Voting
      • Lockdown
      • Proof of Thought
      • Maybe it's unnecessary?
      • Et tu, Permit2?
      • Not a very LUCKY TOKEN
      • risc4
      • HealthCheck as a Service
      • Restricted Proxy
      • Unstable Pool
      • Opaze Whisperer
      • "memorable" onlyOwner
      • World of Memecraft
      • Copy/Paste/Deploy
      • Peer-to-peer-to-me
      • Joe's Lending Mirage
      • Tokemak
      • OFAC Executive Order 13337
    • šŸ‘‘Paradigm CTF 2023 (Todo)
      • Oven
      • Dragon Tyrant
    • Damn Vulnerable DeFi
      • āœ…Unstoppable
      • āœ…Naive Receiver
      • āœ…Truster
      • āœ…Side Entrance
      • āœ…The Rewarder
      • āœ…Selfie
      • āœ…Compromised
      • āœ…Puppet
      • āœ…Puppet V2
      • āœ…Free Rider
      • Backdoor
      • Climber
      • Wallet Mining (Todo)
      • Puppet V3 (Todo)
      • ABI Smuggling (Todo)
    • Milotruck Challs
      • āœ…Greyhats Dollar
      • Escrow
      • Simple AMM Vault
      • Voting Vault
      • āœ…Meta Staking
      • āœ…Gnosis Unsafe
    • Secureum AMAZEX DSS Paris
      • āœ…Operation magic redemption
      • Mission Modern WETH: Rescue the Ether
      • LendEx pool hack
      • Operation Rescue POSI Token!
      • Balloon Vault
      • Safe Yield?
      • āœ…Crystal DAO
      • āœ…Liquidatoooor
    • āœ…Ethernaut
      • āœ…Hello Ethernaut
      • āœ…Fallback
      • āœ…Fallout
      • āœ…Coin Flip
      • āœ…Telephone
      • āœ…Token
      • āœ…Delegation
      • āœ…Force
      • āœ…Vault
      • āœ…King
      • āœ…Re-entrancy
      • āœ…Elevator
      • āœ…Privacy
      • āœ…Gatekeeper One
      • āœ…Gatekeeper Two
      • āœ…Naught Coin
      • āœ…Preservation
      • āœ…Recovery
      • āœ…MagicNumber
      • āœ…Alien Codex
      • āœ…Denial
      • āœ…Shop
      • āœ…DEX
      • āœ…DEX Two
      • āœ…Puzzle Wallet
      • Motorbike
      • DoubleEntryPoint
      • āœ…Good Samaritan
      • Gatekeeper Three
      • Switch
    • āœ…Flashbots MEV-Share CTF
    • āœ…Capture the Ether
      • āœ…Lotteries
      • āœ…Math
      • āœ…Miscellaneous
    • āœ…EVM Puzzles
      • āœ…Puzzle 1
      • āœ…Puzzle 2
      • āœ…Puzzle 3
      • āœ…Puzzle 4
      • āœ…Puzzle 5
      • āœ…Puzzle 6
      • āœ…Puzzle 7
      • āœ…Puzzle 8
      • āœ…Puzzle 9
      • āœ…Puzzle 10
    • āœ…More EVM Puzzles
      • āœ…Puzzle 1
      • āœ…Puzzle 2
      • āœ…Puzzle 3
      • āœ…Puzzle 4
      • āœ…Puzzle 5
      • āœ…Puzzle 6
      • āœ…Puzzle 7
      • āœ…Puzzle 8
      • āœ…Puzzle 9
      • āœ…Puzzle 10
    • āœ…QuillCTF
      • āœ…MetaToken
      • āœ…Temporary Variable
      • KeyCraft
      • āœ…Lottery
      • āœ…Private Club
      • Voting Machine
      • āœ…Predictable NFT
      • āœ…Invest Pool
      • PseudoRandom
      • āœ…Gold NFT
      • Slot Puzzle
      • Moloch's Vault
      • āœ…Donate
      • āœ…WETH-11
      • Panda Token
      • Gate
      • āœ…WETH10
      • āœ…Pelusa
      • āœ…True XOR
      • āœ…Collatz Puzzle
      • āœ…D31eg4t3
      • āœ…Safe NFT
      • āœ…VIP Bank
      • āœ…Confidential Hash
      • āœ…Road Closed
    • āœ…unhacked
      • āœ…reaper
  • RareSkills Puzzles
    • Solidity Exercises
    • Solidity Riddles
    • Yul Puzzles
      • āœ…01 - ReturnBool
      • āœ…02 - SimpleRevert
      • āœ…03 - Return42
      • āœ…04 - RevertWithError
      • āœ…05 - RevertWithSelectorPlusArgs
      • 06 - RevertWithPanic
    • Huff Puzzles
    • Uniswap V2 Puzzles
    • Zero Knowledge Puzzles
  • Web2 CTF
    • Grey Cat CTF 2024
      • āœ…Web Challs
    • pwn.college
      • Introduction
        • What is Computer Systems Security?
      • Program Interaction
        • Linux Command Line
        • šŸš©embryoio
      • Program Misuse
        • Privilege Escalation
        • Mitigations
        • šŸš©babysuid
      • Assembly Refresher
        • x86 Assembly
        • šŸš©embryoasm
      • Shellcoding
        • Introduction
        • Common Challenges
        • Data Execution Prevention
        • šŸš©babyshell
      • Sandboxing
        • chroot
        • seccomp
        • Escaping seccomp
        • šŸš©babyjail
      • Debugging Refresher
        • x86 Assembly
        • šŸš©embryogdb
      • Binary Reverse Engineering
        • Functions and Frames
        • Data Access
        • Static Tools
        • Dynamic Tools
        • Real-world Applications
        • šŸš©babyrev
      • Memory Errors
        • High-Level Problems
        • Smashing the Stack
        • Causes of Corruption
        • Canary
        • ASLR
        • Causes of Disclosure
        • šŸš©babymem
      • Exploitation
        • Introduction
        • Hijacking to Shellcode
        • Side Effects
        • JIT Spray
        • šŸš©toddler1
      • Return Oriented Programming
        • Binary Lego
        • Techniques
        • Complications
        • šŸš©babyrop
      • Dynamic Allocator Misuse
        • What is the Heap?
        • Dangers of the Heap
        • tcache
        • Chunks and Metadata
        • Metadata Corruption
        • šŸš©babyheap
      • Race Conditions
        • Introduction
        • Races in the Filesystem
        • šŸš©babyrace
      • Kernel Security
        • Environment Setup
        • Kernel Modules
        • Privilege Escalation
        • šŸš©babykernel
      • Advanced Exploitation
        • toddler2
    • pwnable.kr
      • fd
      • collision
      • bof
      • flag
      • passcode
      • random
      • input
      • leg
      • mistake
      • shellshock
      • coin1
      • blackjack
      • lotto
      • cmd1
      • cmd2
      • uaf
      • memcpy
      • asm
      • unlink
      • blukat
      • horcruxes
    • ROP Emporium
      • ret2win
      • split
      • callme
      • write4
      • pivot
    • āœ…Jarvis OJ Pwn Xman Series
    • āœ…Jarvis OJ Crypto RSA Series
    • āœ…picoMini by redpwn
      • Binary Exploitation
      • Reverse Engineering
      • Cryptography
      • Web Exploitation
      • Forensics
    • āœ…picoCTF 2021
      • Reverse Engineering
      • Web Exploitation
      • Forensics
    • āœ…picoCTF 2020 Mini-Competition
  • Red Teaming
    • vulnlab
      • Active Directory Chains
        • āœ…Trusted (Easy)
        • Hybrid (Easy)
        • Lustrous (Medium)
        • Reflection (Medium)
        • Intercept (Hard)
      • Red Team Labs
        • Wutai (Medium)
        • Shinra (Hard)
    • Hack The Box
      • AD
        • Intelligence
        • Pivotapi
        • Sharp
        • Monteverde
        • Resolute
        • Endgame: P.O.O.
        • Forest
        • Sauna
        • Active
        • Blackfield
      • āœ…Linux
        • āœ…Safe (Easy)
        • āœ…Delivery (Easy)
        • āœ…TheNotebook (Medium)
        • āœ…Brainfuck (Insane)
    • TCM Windows Privilege Escalation Course
      • āœ…Hack The Box - Chatterbox (Medium)
      • Hack The Box - SecNotes (Medium)
    • āœ…TCM Linux Privilege Escalation Course
      • āœ…TryHackMe - Simple CTF (Easy)
      • āœ…TryHackMe - Vulnversity (Easy)
      • āœ…TryHackMe - CMesS (Medium)
      • āœ…TryHackMe - UltraTech (Medium)
      • āœ…TryHackMe - LazyAdmin (Easy)
      • āœ…TryHackMe - Anonymous (Medium)
      • āœ…TryHackMe - tomghost (Easy)
      • āœ…TryHackMe - ConvertMyVideo (Medium)
      • āœ…TryHackMe - Brainpan 1 (Hard)
Powered by GitBook
On this page
  • TOCTTOU
  • Example
  1. Web2 CTF
  2. pwn.college
  3. Race Conditions

Introduction

TOCTTOU

Execution ordering is only guaranteed within a thread. There are many possible execution orderings for a "simultaneous" launch of two processes P1P_1P1ā€‹ and P2P_2P2ā€‹.

Some execution orderings can be buggy. For example, the program calls two functions do_action() and check_input(). If the execution ordering is different from the intended logic that the programmer expected, the attacker may bypass the check and trick the program to execute something that it is not supposed to execute. This bug type is called Time of Check to Time of Use, and it is abbreviated as TOCTTOU.

Example

Consider the following source code toctou.c:

// toctou.c
#include <assert.h>
#include <unistd.h>
#include <stdio.h>

void check_input(char *filename)
{
    int i;
    FILE *f = fopen(filename, "r");
    fscanf(f, "%d", &i);
    fclose(f);
    assert(i == 0);
}

void do_action(char *filename)
{
    int i;
    FILE *f = fopen(filename, "r");
    fscanf(f, "%d", &i);
    fclose(f);

    i++;
    f = fopen(filename, "w");
    fprintf(f, "%d\n", i);
    printf("Wrote %d!\n", i);
    fclose(f);
}

int main(int argc, char **argv)
{
    check_input(argv[1]);
    do_action(argv[1]);
}

Compile the source code:

gcc toctou.c -o toctou

Now let's do an experiment. Open tmux and create 3 windows. In the first two windows (processes P1P_1P1ā€‹ and P2P_2P2ā€‹), start two infinite loops that keep executing toctou:

while : ; do ./toctou num ; done 2>/dev/null

In the last window, start another infinite loop that keeps writing 0 to num:

while : ; do echo 0 > num ; done

Here we can notice the inconsist results:

The intended output is Wrote 1!, but there are cases where the program outputs Wrote 2!. This is becasue we trigger the TOCTOU bug. For these cases, the execution ordering is something like this:

P1: check_input();
P2: check_input();
P1: do_action();
P2: do_action();

Both processes call check_input() first, so they pass the assert(i == 0); check. Later on, both processes call do_action() so that the counter i gets incremented twice. As a result, we have i = 2 in the end.

PreviousRace ConditionsNextRaces in the Filesystem

Last updated 3 years ago