Base weakness

Incomplete

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Also known as: TOCTTOU, TOCCTOU

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

445

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Medium

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code checks a file, then updates its contents.

Vulnerable example

struct stat *sb;

Potentially the file could have been updated between the time of the check and the lstat, especially since the printf has latency.

The following code is from a program installed setuid root. The program performs certain file operations on behalf of non-privileged users, and uses access checks to ensure that it does not use its root privileges to perform operations that should otherwise be unavailable the current user. The program uses the access() system call to check if the person running the program has permission to access the specified file before it opens the file and performs the necessary operations.

Vulnerable example

if(!access(file,W_OK)) {

The call to access() behaves as expected, and returns 0 if the user running the program has the necessary permissions to write to the file, and -1 otherwise. However, because both access() and fopen() operate on filenames rather than on file handles, there is no guarantee that the file variable still refers to the same file on disk when it is passed to fopen() that it did when it was passed to access(). If an attacker replaces file after the call to access() with a symbolic link to a different file, the program will use its root privileges to operate on the file even if it is a file that the attacker would otherwise be unable to modify. By tricking the program into performing an operation that would otherwise be impermissible, the attacker has gained elevated privileges. This type of vulnerability is not limited to programs with root privileges. If the application is capable of performing any operation that the attacker would not otherwise be allowed perform, then it is a possible target.

This code prints the contents of a file if a user has permission.

Vulnerable example

php

function readFile($filename){

This code attempts to resolve symbolic links before checking the file and printing its contents. However, an attacker may be able to change the file from a real file to a symbolic link between the calls to is_link() and file_get_contents(), allowing the reading of arbitrary files. Note that this code fails to log the attempted access (CWE-778).

This example is adapted from [REF-18]. Assume that this code block is invoked from multiple threads. The switch statement will execute different code depending on the time when MYFILE.txt was last changed.

Vulnerable example

#include <sys/types.h>

If this code block were executed within multiple threads, and MYFILE.txt changed between the operation of one thread and another, then the switch could produce different, possibly unexpected results.

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-367?

What CVEs are caused by CWE-367?

How do you prevent CWE-367?

How is CWE-367 detected?

What are the consequences of CWE-367?

Is CWE-367 actively exploited?

References

Stay ahead of CWE-367

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Peer

Related

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-367?

What CVEs are caused by CWE-367?

How do you prevent CWE-367?

How is CWE-367 detected?

What are the consequences of CWE-367?

Is CWE-367 actively exploited?

References

Stay ahead of CWE-367