Understanding Race Conditions
CVE-2017-2533 is a macOS a race condition vulnerability that allows an attacker to perform privilege escalation. This vulnerability exists in the diskarbitrationd service that handles disk operations such as mounting filesystems, disk display, etc.
CVE-2016-7098 is a race condition vulnerability affecting the wget tool. Versions prior to 1.18 are affected. An attacker can bypass access list restrictions that are provided by the tool and potentially download malicious files that would otherwise be blocked. This happens because the tool applies the restriction only after downloading the file.
What is a race condition?
A race condition is a situation where two threads are concurrently modifying a shared memory. If the modifiable variable is undergoing change caused by a thread, and that thread has reached a timeout, a second thread could also access the same variable and cause an undesirable action.
But, what is a thread ? It is basically a unit of execution. To execute a process, the operating systems uses threads. A process could have multiple threads. You can list the threads of a process by using tools such as Process Explorer or WinDbg on Windows systems.
Consider the following scenario: a thread 1 increments the value of a variable X but didn’t had time to write it yet. It’s state is saved and the next thread is prepared to executed. This new thread increments the value of x as well. Thread 1 resumes and write the result that it got before. The result is x+1 rather than x+2.
In normal operation:
- x = 10
- Thread 1: x + 1= 11
- Thread 2: x + 1= 12
In a race condition:
- Thread 1: x + 1 = 11 (but not enough time to write it)
- Thread 2: x + 1= 11
This behavior is unpredictable and very hard to debug. It is also a security loophole that can be exploited if the timing of the attack is perfected.
Race conditions are used to initiate privilege escalation, install webshells for backdoor access, execute remote code, etc.
What can we do about it?
Locks are a common solution to this in software development. A variable is locked by the thread until the thread finishes its operations. As a result, other threads will have to wait for the variable to be released before using it, and a race condition cannot happen. In a queue-like mechanism, you need to make the resource available to just one thread at a time.