{"id":56915,"date":"2024-08-23T14:28:25","date_gmt":"2024-08-23T14:28:25","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/36249\/How-To-Manipulate-The-Execution-Flow-Of-TOCTOU-Attacks.html"},"modified":"2024-08-23T14:28:25","modified_gmt":"2024-08-23T14:28:25","slug":"how-to-manipulate-the-execution-flow-of-toctou-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/","title":{"rendered":"How To Manipulate The Execution Flow Of TOCTOU Attacks"},"content":{"rendered":"<p><button aria-haspopup=\"true\" aria-label=\"Open Table of Contents\" class=\"button toggle-toc\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" aria-hidden=\"true\" focusable=\"false\"><rect x=\"4\" y=\"7.5\" width=\"16\" height=\"1.5\" \/><rect x=\"4\" y=\"15\" width=\"16\" height=\"1.5\" \/><\/svg><span>Table of Contents<\/span><\/button><\/p>\n<p>Execution flow is the order in which instructions are executed in a system. Manipulating the execution flow of a legitimate process to execute malicious code through a \u201cTime-of-Check to Time-of-Use\u201d (TOCTOU) attack involves exploiting the time gap between when a system checks a condition and when it acts on that condition. Put simply, a TOCTOU attack takes advantage of the delay between when a system checks something (like a condition) and when it actually acts on that check. During this delay, I can manipulate the process so that, instead of performing the intended task, the system ends up executing malicious code.<\/p>\n<p>This blog post documents some of my workflows to achieve this, along with a sample execution example. Each H2 header represents a workflow.<\/p>\n<h2 class=\"wp-block-heading\">File or resource substitution<\/h2>\n<p>If a process checks for the existence or integrity of a file or resource (like a configuration file or library) and then uses it shortly afterward, there might be a window of opportunity to swap out the legitimate file with a malicious one.<\/p>\n<h3 class=\"wp-block-heading\">Execution steps<\/h3>\n<ol class=\"wp-block-list has-custom-color-1-gradient-background has-background\">\n<li>Monitor the process to identify when it checks the file\/resource.<\/li>\n<li>Quickly replace the legitimate file with a malicious one during the TOCTOU window before the process uses it.<\/li>\n<li>The process then unwittingly executes the malicious file, believing it to be the legitimate one.<\/li>\n<\/ol>\n<h4 class=\"wp-block-heading\">Example<\/h4>\n<h5 class=\"wp-block-heading\">Monitor the process<\/h5>\n<p>First, I must monitor the target process ID (PID)&nbsp; to detect when it checks the file\/resource. Monitoring can be done using tools like <code>strace<\/code> (Linux) or <code>dtruss<\/code> (macOS).&nbsp;<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code># Linux - strace to monitor sys calls of specific process\nstrace -p &lt;PID&gt; -e trace=open,read,stat # macOS - dtruss for similar monitoring\nsudo dtruss -p &lt;PID&gt;<\/code><\/pre>\n<h5 class=\"wp-block-heading\">Wait for the check<\/h5>\n<p>Next, I watch for the specific system calls (like <code>open<\/code>, <code>read<\/code>, or <code>stat<\/code>) that indicate the process is checking the file\/resource. I need to time my action between this check and when the file\/resource is actually used.<\/p>\n<p>Once I observe the process a few times, I\u2019ll start to get an idea of the typical delay between the check and the use. This number will inform how quickly I need to act to replace the file.<\/p>\n<p>Other times, I will script a replacement using a tool that monitors the system call or a loop in a script to attempt the replacement repeatedly. I do this often because the timing is critical and usually too fast for manual intervention.&nbsp;<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-embed-handler wp-block-embed-embed-handler\">\n<div class=\"wp-block-embed__wrapper\">\n<div id=\"gist131995059\" class=\"gist\">\n<div class=\"gist-file\" translate=\"no\" data-color-mode=\"light\" data-light-theme=\"light\">\n<div class=\"gist-data\">\n<div class=\"js-gist-file-update-container js-task-list-container\">\n<div id=\"file-toctou_automation-sh\" class=\"file my-2\">\n<div itemprop=\"text\" class=\"Box-body p-0 blob-wrapper data type-shell \">\n<div class=\"js-check-bidi js-blob-code-container blob-code-content\"> <template class=\"js-file-alert-template\"> <\/p>\n<div data-view-component=\"true\" class=\"flash flash-warn flash-full d-flex flex-items-center\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg> <span> This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. <a class=\"Link--inTextBlock\" href=\"https:\/\/github.co\/hiddenchars\" target=\"_blank\" rel=\"noopener\">Learn more about bidirectional Unicode characters<\/a> <\/span> <\/div>\n<p><\/template><br \/>\n<template class=\"js-line-alert-template\"> <span aria-label=\"This line has hidden Unicode characters\" data-view-component=\"true\" class=\"line-alert tooltipped tooltipped-e\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg><br \/>\n<\/span><\/template> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/figure>\n<h5 class=\"wp-block-heading\">Replace legitimate file with malicious one<\/h5>\n<p>During the TOCTOU window (between the check and the use), I will quickly replace the legitimate file with my malicious version. Here, I use standard file manipulation commands like <code>mv<\/code>, <code>cp<\/code>, or <code>ln<\/code>.&nbsp;<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>mv \/path\/malicious\/file \/path\/legitimate\/file<\/code><\/pre>\n<p>Or, if I want to keep the legitimate file around and just link the malicious one:<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>ln -sf \/path\/malicious\/file \/path\/legitimate\/file<\/code><\/pre>\n<p>I must execute this command during the small window of time after the process checks the file and before the process uses it.&nbsp;<\/p>\n<h5 class=\"wp-block-heading\">Wait for execution<\/h5>\n<p>After replacing the file, the process will execute the malicious file, thinking it\u2019s the legitimate one. This step is where the TOCTOU race condition is exploited.<\/p>\n<h3 class=\"wp-block-heading\">Other tools that can help&nbsp;<\/h3>\n<h4 class=\"wp-block-heading\"><code>inotifywait<\/code> (Linux)<\/h4>\n<p>Monitor the file system for access, modification, or deletion events.<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>inotifywait -m \/path\/file<\/code><\/pre>\n<h4 class=\"wp-block-heading\"><code>auditd<\/code> (Linux) \/ <code>fs_usage<\/code> (macOS)<\/h4>\n<p>To audit file access in real-time.<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>sudo auditctl -w \/path\/file -p war -k file_watch ausearch -k file_watch<\/code><\/pre>\n<p>or<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>sudo fs_usage -w | grep \"\/path\/file\"<\/code><\/pre>\n<h2 class=\"wp-block-heading\">Symbolic link (symlink) attack<\/h2>\n<p>If a process checks the target of a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Symbolic_link\">symbolic link<\/a> (symlink) and then uses the symlink to access a file or directory, I usually try to replace the symlink\u2019s target with a malicious one between the check and use.<\/p>\n<h3 class=\"wp-block-heading\">Execution<\/h3>\n<ol class=\"wp-block-list is-style-default has-custom-color-1-gradient-background has-background\">\n<li>Create a symlink pointing to a legitimate file or directory.<\/li>\n<li>The system checks the symlink and validates the target as safe.<\/li>\n<li>Before the system actually uses the file or directory, I change the symlink to point to a malicious file.<\/li>\n<li>The system then executes or interacts with the malicious file, believing it is the originally checked file.<\/li>\n<\/ol>\n<h4 class=\"wp-block-heading\">Example<\/h4>\n<h5 class=\"wp-block-heading\">Create a symlink to a legitimate file or directory<\/h5>\n<p>On Linux or macOS, I create a symbolic link using the <code>ln -s<\/code> command. Suppose I have a legitimate file called <code>legit_file.txt<\/code>:<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>ln -s legit_file.txt symlink_file.txt<\/code><\/pre>\n<p>This creates a symbolic link called <code>symlink_file.txt<\/code> pointing to <code>legit_file.txt<\/code>.<\/p>\n<h5 class=\"wp-block-heading\">Wait for system to validate symlink<\/h5>\n<p>At this point, I need to wait for the system to check or validate the file. For example, a program might check the symlink target for permissions, file type, or other attributes.<\/p>\n<h5 class=\"wp-block-heading\">Change symlink to point to a malicious file<\/h5>\n<p>Once the system has validated the original symlink target, but before it uses it, I will change the symlink to point to a different, malicious file. For instance, suppose my malicious file is <code>malicious_file.txt<\/code>:<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>rm symlink_file.txt ln -s malicious_file.txt symlink_file.txt<\/code><\/pre>\n<p>These commands remove the original symlink and create a new one with the same name, now pointing to <code>malicious_file.txt<\/code>.<\/p>\n<h5 class=\"wp-block-heading\">System uses malicious file<\/h5>\n<p>After the symlink has been changed, when the system attempts to use <code>symlink_file.txt<\/code>, it will interact with <code>malicious_file.txt<\/code> instead of the original <code>legit_file.txt<\/code>. If the system only validates the symlink once and does not recheck it before use, this can lead to executing or interacting with the malicious file.<\/p>\n<h2 class=\"wp-block-heading\">Environment variable manipulation<\/h2>\n<p>Some processes check environment variables before executing a command or loading a library. If there\u2019s a delay between the check and the execution, I can try to modify the environment variables to point to malicious code.<\/p>\n<h3 class=\"wp-block-heading\">Execution<\/h3>\n<ol class=\"wp-block-list has-custom-color-1-gradient-background has-background\">\n<li>The legitimate process starts and checks an environment variable, like <code>PATH<\/code> or <code>LD_LIBRARY_PATH<\/code>, to determine where to find executable files or libraries.<\/li>\n<li>Changes the environment variable to point to a malicious executable or library during the TOCTOU window.<\/li>\n<li>When the process continues execution, it loads and executes the malicious code instead of the legitimate one.<\/li>\n<\/ol>\n<h4 class=\"wp-block-heading\">Example<\/h4>\n<h5 class=\"wp-block-heading\">Identify the target process<\/h5>\n<p>First, I will identify a legitimate process that checks environment variables like <code>PATH<\/code> or <code>LD_LIBRARY_PATH<\/code> before executing files or loading libraries.<\/p>\n<h5 class=\"wp-block-heading\">Create malicious code<\/h5>\n<p>Next, I will create a malicious executable or shared library that the target process will execute or load.<\/p>\n<h6 class=\"wp-block-heading\"><em>Example 1: Malicious executable<\/em><\/h6>\n<p>If I am in a testing (i.e., not executing on the target system) setting, I will create a simple C program that prints a message when executed.&nbsp;<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-embed-handler wp-block-embed-embed-handler\">\n<div class=\"wp-block-embed__wrapper\">\n<div id=\"gist131995736\" class=\"gist\">\n<div class=\"gist-file\" translate=\"no\" data-color-mode=\"light\" data-light-theme=\"light\">\n<div class=\"gist-data\">\n<div class=\"js-gist-file-update-container js-task-list-container\">\n<div id=\"file-malicious-c\" class=\"file my-2\">\n<div itemprop=\"text\" class=\"Box-body p-0 blob-wrapper data type-c \">\n<div class=\"js-check-bidi js-blob-code-container blob-code-content\"> <template class=\"js-file-alert-template\"> <\/p>\n<div data-view-component=\"true\" class=\"flash flash-warn flash-full d-flex flex-items-center\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg> <span> This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. <a class=\"Link--inTextBlock\" href=\"https:\/\/github.co\/hiddenchars\" target=\"_blank\" rel=\"noopener\">Learn more about bidirectional Unicode characters<\/a> <\/span> <\/div>\n<p><\/template><br \/>\n<template class=\"js-line-alert-template\"> <span aria-label=\"This line has hidden Unicode characters\" data-view-component=\"true\" class=\"line-alert tooltipped tooltipped-e\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg><br \/>\n<\/span><\/template> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/figure>\n<p>Then, compile the program to create an executable:<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>gcc -o malicious_executable malicious.c<\/code><\/pre>\n<h6 class=\"wp-block-heading\"><em>Example 2: Malicious shared library<\/em><\/h6>\n<p>Here, I will create a malicious shared library that prints a message when loaded. Again, this is only for testing settings; this would not be good practice during an engagement.&nbsp;<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-embed-handler wp-block-embed-embed-handler\">\n<div class=\"wp-block-embed__wrapper\">\n<div id=\"gist131995740\" class=\"gist\">\n<div class=\"gist-file\" translate=\"no\" data-color-mode=\"light\" data-light-theme=\"light\">\n<div class=\"gist-data\">\n<div class=\"js-gist-file-update-container js-task-list-container\">\n<div id=\"file-malicious2-c\" class=\"file my-2\">\n<div itemprop=\"text\" class=\"Box-body p-0 blob-wrapper data type-c \">\n<div class=\"js-check-bidi js-blob-code-container blob-code-content\"> <template class=\"js-file-alert-template\"> <\/p>\n<div data-view-component=\"true\" class=\"flash flash-warn flash-full d-flex flex-items-center\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg> <span> This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. <a class=\"Link--inTextBlock\" href=\"https:\/\/github.co\/hiddenchars\" target=\"_blank\" rel=\"noopener\">Learn more about bidirectional Unicode characters<\/a> <\/span> <\/div>\n<p><\/template><br \/>\n<template class=\"js-line-alert-template\"> <span aria-label=\"This line has hidden Unicode characters\" data-view-component=\"true\" class=\"line-alert tooltipped tooltipped-e\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg><br \/>\n<\/span><\/template> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/figure>\n<p>Then, I will compile:<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>gcc -shared -o malicious.so -fPIC malicious.c<\/code><\/pre>\n<h5 class=\"wp-block-heading\">Prepare the environment<\/h5>\n<p>Next, I would place the malicious executable or library in a directory that I control. I ensure that the directory has appropriate permissions so that it is accessible by the target process.<\/p>\n<h5 class=\"wp-block-heading\">Manipulate the environment variables<\/h5>\n<p>Manipulate environment variables so the target process uses my malicious code instead of the legitimate one.<\/p>\n<h6 class=\"wp-block-heading\"><em>Option A: Exploiting the <code>PATH<\/code> environment variable<\/em><\/h6>\n<p>In this case, I would prepend my directory containing the malicious executable to the <code>PATH<\/code> environment variable.&nbsp;<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>export PATH=\/path\/to\/malicious\/dir:$PATH<\/code><\/pre>\n<p>Now, the target process will use my malicious executable instead of the legitimate one when it executes.<\/p>\n<h6 class=\"wp-block-heading\"><em>Option B: Exploiting the <code>LD_LIBRARY_PATH<\/code> environment variable<\/em><\/h6>\n<p>In this case, I would prepend my directory containing the malicious library to the <code>LD_LIBRARY_PATH<\/code> environment variable.&nbsp;<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>export LD_LIBRARY_PATH=\/path\/to\/malicious\/lib:$LD_LIBRARY_PATH<\/code><\/pre>\n<p>Now, when it loads a library, the target process loads my malicious library instead of the legitimate one.<\/p>\n<h5 class=\"wp-block-heading\">Trigger the target process<\/h5>\n<p>At this point, I trigger the target process to run. Triggering could involve starting the process directly or waiting for a scheduled execution.<\/p>\n<h5 class=\"wp-block-heading\">Observe the execution<\/h5>\n<p>Lastly, I verify the execution by observing the output if I am doing this process in a test setting. If successful, I will see my malicious message (e.g., \u201cmalicious library loaded\u201d) printed, indicating that the target process executed my code.<\/p>\n<h2 class=\"wp-block-heading\">Shared memory manipulation<\/h2>\n<p>If a process checks shared memory for data integrity and then uses the data, I might try to modify the shared memory contents between the check and use.<\/p>\n<h3 class=\"wp-block-heading\">Execution<\/h3>\n<ol class=\"wp-block-list is-style-default has-custom-color-1-gradient-background has-background\">\n<li>Identify the shared memory segment used by the legitimate process.<\/li>\n<li>Wait for the process to perform its integrity check.<\/li>\n<li>Quickly alter the contents of the shared memory during the TOCTOU window.<\/li>\n<li>Acting on the altered shared memory, the process may execute malicious code or behave unintendedly.<\/li>\n<\/ol>\n<h4 class=\"wp-block-heading\">Example<\/h4>\n<h5 class=\"wp-block-heading\">Identify the shared memory segment<\/h5>\n<p>I will use <code>ipcs<\/code> to list the shared memory segments on the system. I can identify the shared memory segment by observing the memory usage of the target process, usually by comparing the output before and after the process creates\/uses shared memory.<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>ipcs -m<\/code><\/pre>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"152\" data-attachment-id=\"72056\" data-permalink=\"https:\/\/oliviagallucci.com\/format-ipcs-m\/\" data-orig-file=\"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m.webp\" data-orig-size=\"1592,236\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"format-ipcs-m\" data-image-description data-image-caption data-medium-file=\"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-300x44.webp\" data-large-file=\"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-1024x152.webp\" tabindex=\"0\" role=\"button\" alt=\"TOCTOU - pics output with n o shared memory\" class=\"wp-image-72056 lazyload\" data-sizes=\"(max-width: 1024px) 100vw, 1024px\" src=\"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-1024x152.webp\" srcset=\"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-1024x152.webp 1024w, https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-300x44.webp 300w, https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-150x22.webp 150w, https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-768x114.webp 768w, https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-1536x228.webp 1536w, https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m.webp 1592w\"><noscript><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"152\" data-attachment-id=\"72056\" data-permalink=\"https:\/\/oliviagallucci.com\/format-ipcs-m\/\" data-orig-file=\"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m.webp\" data-orig-size=\"1592,236\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"format-ipcs-m\" data-image-description data-image-caption data-medium-file=\"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-300x44.webp\" data-large-file=\"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-1024x152.webp\" tabindex=\"0\" role=\"button\" src=\"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-1024x152.webp\" alt=\"TOCTOU - pics output with n o shared memory\" class=\"wp-image-72056\" srcset=\"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-1024x152.webp 1024w, https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-300x44.webp 300w, https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-150x22.webp 150w, https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-768x114.webp 768w, https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-1536x228.webp 1536w, https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m.webp 1592w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/noscript><\/figure>\n<p class=\"has-text-align-center\">Output will be formatted roughly like this.<\/p>\n<p>This command lists all shared memory segments. I will look for segments that correspond to my target process by matching the PID or by checking the size of the segments.<\/p>\n<h5 class=\"wp-block-heading\">Attach to the shared memory segment<\/h5>\n<p>Once identified, I can attach to the shared memory segment using the <code>shmat<\/code> system call or use a tool like <code>gdb<\/code> to examine the process memory directly.&nbsp;<\/p>\n<p>Note: When I \u201cattach\u201d to a shared memory segment using the <code>shmat<\/code> system call, I am essentially mapping the shared memory segment into my process\u2019s address space. Mapping allows my process to directly access the contents of the shared memory as if it were a part of my process\u2019s own memory.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-embed-handler wp-block-embed-embed-handler\">\n<div class=\"wp-block-embed__wrapper\">\n<div id=\"gist131995950\" class=\"gist\">\n<div class=\"gist-file\" translate=\"no\" data-color-mode=\"light\" data-light-theme=\"light\">\n<div class=\"gist-data\">\n<div class=\"js-gist-file-update-container js-task-list-container\">\n<div id=\"file-attach_mem-c\" class=\"file my-2\">\n<div itemprop=\"text\" class=\"Box-body p-0 blob-wrapper data type-c \">\n<div class=\"js-check-bidi js-blob-code-container blob-code-content\"> <template class=\"js-file-alert-template\"> <\/p>\n<div data-view-component=\"true\" class=\"flash flash-warn flash-full d-flex flex-items-center\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg> <span> This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. <a class=\"Link--inTextBlock\" href=\"https:\/\/github.co\/hiddenchars\" target=\"_blank\" rel=\"noopener\">Learn more about bidirectional Unicode characters<\/a> <\/span> <\/div>\n<p><\/template><br \/>\n<template class=\"js-line-alert-template\"> <span aria-label=\"This line has hidden Unicode characters\" data-view-component=\"true\" class=\"line-alert tooltipped tooltipped-e\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg><br \/>\n<\/span><\/template> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/figure>\n<p>Replace <code>shm_key<\/code> and <code>size<\/code> with the segment\u2019s key and size values.<\/p>\n<ul class=\"wp-block-list has-custom-color-1-gradient-background has-background\">\n<li><code>shm_key<\/code>\n<ul class=\"wp-block-list\">\n<li>The key for the shared memory segment I want to attach to. The key can be obtained from the <code>ipcs -m<\/code> command or by inspecting the target process.<\/li>\n<\/ul>\n<\/li>\n<li><code>size<\/code>\n<ul class=\"wp-block-list\">\n<li>The size of the shared memory segment. The size is also obtainable from <code>ipcs -m<\/code> or by analyzing the process.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h5 class=\"wp-block-heading\">Monitor for the integrity check<\/h5>\n<p>I use <code>strace<\/code> (on Linux) to monitor system calls made by the target process, specifically looking for read\/write access to the shared memory.<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code># Linux\nstrace -p &lt;PID&gt; -e trace=shmctl,shmat,shmdt # macOS option 1 - dtruss\nsudo dtruss -p &lt;PID&gt; 2&gt;&amp;1 | grep -E 'shmctl|shmat|shmdt' # macOS option 2 - dtrace\nsudo dtrace -n 'syscall::shmctl:entry \/pid == &lt;PID&gt;\/ { printf(\"%s\\n\", execname); }'<\/code><\/pre>\n<p>These commands will show me when the process attaches to the shared memory segment and when the target process performs operations that might include an integrity check.<\/p>\n<h5 class=\"wp-block-heading\">Modify the shared memory (TOCTOU exploit)<\/h5>\n<p>During the TOCTOU window (between when the process checks the memory and when it uses it), I modify the shared memory contents. This modification requires precise timing, often achievable via a script or a custom program that waits for a specific condition before making the change.<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>\/\/ c\n\/\/ modify shared memory content\nstrcpy((char *)shmaddr, \"malicious_data\");<\/code><\/pre>\n<p>I replace <code>\"malicious_data\"<\/code> with the data I intend to inject.<\/p>\n<h5 class=\"wp-block-heading\">Observe the process behavior<\/h5>\n<p>The process should now act on the altered shared memory, which, depending on the nature of the alteration, could potentially lead to the execution of malicious code or an unintended operation.<\/p>\n<h2 class=\"wp-block-heading\">Race condition exploitation<\/h2>\n<p>A race condition occurs when 2 &gt;= processes or threads access shared resources concurrently, and the outcome depends on the timing of their execution. If a process checks a resource and another process can modify that resource before the first process uses it, I can exploit this to inject malicious code.<\/p>\n<h3 class=\"wp-block-heading\">Execution<\/h3>\n<ol class=\"wp-block-list has-custom-color-1-gradient-background has-background\">\n<li>Monitor the legitimate process for actions that involve shared resources.<\/li>\n<li>Introduce or exploit a race condition by having a malicious process race against the legitimate process to modify the resource after it\u2019s checked but before it\u2019s used.<\/li>\n<li>The legitimate process uses the maliciously modified resource, resulting in the execution of my code.<\/li>\n<\/ol>\n<h4 class=\"wp-block-heading\">Example<\/h4>\n<h5 class=\"wp-block-heading\">Monitor the legitimate process<\/h5>\n<p>Again, I use tools like <code>strace<\/code> (Linux) or <code>dtruss<\/code> (macOS) to observe system calls and actions related to file access, memory, or other shared resources.<\/p>\n<h5 class=\"wp-block-heading\">Identify the critical section<\/h5>\n<p>A critical section is the portion of the code where the legitimate process checks and then uses a shared resource. This step is typically where I can introduce the race condition.&nbsp;<\/p>\n<p>To find such sections, I have to review the application\u2019s source code (if available) or use the monitoring tools mentioned above to trace file access, memory mappings, or inter-process communication.<\/p>\n<h5 class=\"wp-block-heading\">Create the malicious process<\/h5>\n<p>Here, I need to write a script or program that continuously tries to modify the shared resource during the critical section.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-embed-handler wp-block-embed-embed-handler\">\n<div class=\"wp-block-embed__wrapper\">\n<div id=\"gist131996078\" class=\"gist\">\n<div class=\"gist-file\" translate=\"no\" data-color-mode=\"light\" data-light-theme=\"light\">\n<div class=\"gist-data\">\n<div class=\"js-gist-file-update-container js-task-list-container\">\n<div id=\"file-file_access_race_condition-c\" class=\"file my-2\">\n<div itemprop=\"text\" class=\"Box-body p-0 blob-wrapper data type-c \">\n<div class=\"js-check-bidi js-blob-code-container blob-code-content\"> <template class=\"js-file-alert-template\"> <\/p>\n<div data-view-component=\"true\" class=\"flash flash-warn flash-full d-flex flex-items-center\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg> <span> This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. <a class=\"Link--inTextBlock\" href=\"https:\/\/github.co\/hiddenchars\" target=\"_blank\" rel=\"noopener\">Learn more about bidirectional Unicode characters<\/a> <\/span> <\/div>\n<p><\/template><br \/>\n<template class=\"js-line-alert-template\"> <span aria-label=\"This line has hidden Unicode characters\" data-view-component=\"true\" class=\"line-alert tooltipped tooltipped-e\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg><br \/>\n<\/span><\/template> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/figure>\n<p>Now, I will compile and run this program as a background process.<\/p>\n<pre class=\"wp-block-code has-custom-color-1-gradient-background has-background\"><code>gcc -o race_condition race_condition.c\n.\/race_condition &amp;<\/code><\/pre>\n<h5 class=\"wp-block-heading\">Exploit race condition<\/h5>\n<p>Here, I am attempting to change the resource between the time the legitimate process checks it, and the time when it is used.<\/p>\n<h6 class=\"wp-block-heading\"><em>Example: Symlink race condition<\/em><\/h6>\n<p>A common technique is to exploit symbolic links:<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-embed-handler wp-block-embed-embed-handler\">\n<div class=\"wp-block-embed__wrapper\">\n<div id=\"gist131996086\" class=\"gist\">\n<div class=\"gist-file\" translate=\"no\" data-color-mode=\"light\" data-light-theme=\"light\">\n<div class=\"gist-data\">\n<div class=\"js-gist-file-update-container js-task-list-container\">\n<div id=\"file-symlink_race_condition-sh\" class=\"file my-2\">\n<div itemprop=\"text\" class=\"Box-body p-0 blob-wrapper data type-shell \">\n<div class=\"js-check-bidi js-blob-code-container blob-code-content\"> <template class=\"js-file-alert-template\"> <\/p>\n<div data-view-component=\"true\" class=\"flash flash-warn flash-full d-flex flex-items-center\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg> <span> This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. <a class=\"Link--inTextBlock\" href=\"https:\/\/github.co\/hiddenchars\" target=\"_blank\" rel=\"noopener\">Learn more about bidirectional Unicode characters<\/a> <\/span> <\/div>\n<p><\/template><br \/>\n<template class=\"js-line-alert-template\"> <span aria-label=\"This line has hidden Unicode characters\" data-view-component=\"true\" class=\"line-alert tooltipped tooltipped-e\"> <svg aria-hidden=\"true\" height=\"16\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" data-view-component=\"true\" class=\"octicon octicon-alert\"> <path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" \/>\n<\/svg><br \/>\n<\/span><\/template> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<\/div><\/div>\n<\/figure>\n<p>This script will continuously create a symbolic link from <code>\/tmp\/targetfile<\/code> (the legitimate resource) to <code>\/tmp\/malicious_file<\/code> (my malicious file). The idea is that when the legitimate process accesses <code>\/tmp\/targetfile<\/code>, it might actually be using <code>\/tmp\/malicious_file<\/code> instead, depending on the timing.<\/p>\n<h5 class=\"wp-block-heading\">Observe<\/h5>\n<p>The goal is for the legitimate process to use the maliciously modified resource, thereby executing my code or resulting in other unexpected behavior.<\/p>\n<h2 class=\"wp-block-heading\">Practical considerations<\/h2>\n<h3 class=\"wp-block-heading\">Timing<\/h3>\n<p>Success in these attacks requires precise timing. I must insert my malicious code during the narrow TOCTOU window. Techniques like process monitoring, race condition exploitation, and system call interposition can help identify and exploit these windows.<\/p>\n<h3 class=\"wp-block-heading\">Permissions<\/h3>\n<p>These attacks often require elevated permissions or a deep understanding of the target system. For example, file substitution may require the ability to terminate processes or modify system files.<\/p>\n<h3 class=\"wp-block-heading\">System defenses<\/h3>\n<p>Many modern systems employ defenses against TOCTOU attacks, such as <a href=\"https:\/\/oliviagallucci.com\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#atomic-operations\">atomic operations<\/a>, <a href=\"https:\/\/oliviagallucci.com\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#secure-system-calls\">secure system calls<\/a> (e.g., <code>openat()<\/code>), and stricter permissions and access controls.&nbsp;<\/p>\n<h4 class=\"wp-block-heading\" id=\"atomic-operations\">Atomic operations&nbsp;<\/h4>\n<p>Atomic operations are \u201cindivisible,\u201d all-or-nothing actions that prevent race conditions by ensuring that a sequence of operations is completed without interruption. Thus, they defend against TOCTOU attacks by eliminating the window where an attacker could alter a resource between checks and usage.<\/p>\n<p class=\"has-custom-grey-box-color-background-color has-background\">Indivisibility in atomic operations refers to the guarantee that the operation is executed as a single, unbreakable step. No other processes can observe, interrupt, or modify the state of the operation while it is in progress, thus ensuring consistency and preventing race conditions.<\/p>\n<h4 class=\"wp-block-heading\" id=\"secure-system-calls\">Secure system calls&nbsp;<\/h4>\n<p><code>openat()<\/code> is a secure system call that mitigates TOCTOU attacks by allowing file access operations to be performed relative to a directory file descriptor, thereby reducing the risk of race conditions when accessing files.<\/p>\n<h4 class=\"wp-block-heading\">Bypassing&nbsp;<\/h4>\n<p>Bypassing these defenses may require advanced techniques or exploiting other vulnerabilities to weaken them. For instance, there may be additional complexity, like bypassing security mechanisms like <a href=\"https:\/\/oliviagallucci.com\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#apparmor\">AppArmor<\/a>, <a href=\"https:\/\/oliviagallucci.com\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#selinux\">SELinux<\/a>, or <a href=\"https:\/\/oliviagallucci.com\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#sip\">System Integrity Protection<\/a> (SIP) on Linux or macOS.<\/p>\n<p>If you are unfamiliar with these mechanisms, I included a brief description of each below. I might make some posts on how I have tried to bypass these in the future, but for now, I have not created any resources to help with this.&nbsp;<\/p>\n<h5 class=\"wp-block-heading\" id=\"apparmor\">AppArmor<\/h5>\n<p>AppArmor is a Linux security module that enforces mandatory access control policies on programs, limiting their access to files and resources; it mitigates TOCTOU attacks by restricting what a compromised program can access, even if it attempts to exploit a race condition.<\/p>\n<h5 class=\"wp-block-heading\" id=\"selinux\">SELinux<\/h5>\n<p>Security-Enhanced Linux (SELinux) enforces fine-grained access control policies based on security contexts. By tightly controlling what actions processes can perform and on which resources, SELinux reduces the impact of TOCTOU attacks.<\/p>\n<h5 class=\"wp-block-heading\" id=\"sip\">SIP<\/h5>\n<p>SIP in macOS restricts the modification of critical system files and directories. It minimizes the risk of TOCTOU attacks by preventing unauthorized changes to protected areas of the system, even if an attacker gains root access.<\/p>\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n<p>In conclusion, TOCTOU attacks exploit the time gap between when a system checks a resource and when it uses that resource, creating an opportunity for malicious intervention.&nbsp;<\/p>\n<p>This post explored some of my workflows to achieve this, along with a sample execution example. Methods included file substitution, symlink manipulation, environment variable exploitation, shared memory modification, and race condition exploitation. Each method relies on timing and an understanding of the target system\u2019s operations.<\/p>\n<p>I hope you enjoyed this post. If you are interested in learning more about security, consider reading <a href=\"https:\/\/oliviagallucci.com\/ids-security-using-decision-trees-and-neural-networks\/\">IDS Security Using Decision Trees and Neural Networks\u200b\u200b<\/a>.&nbsp;<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/36249\/How-To-Manipulate-The-Execution-Flow-Of-TOCTOU-Attacks.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":56916,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[256],"class_list":["post-56915","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackerflaw"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How To Manipulate The Execution Flow Of TOCTOU Attacks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How To Manipulate The Execution Flow Of TOCTOU Attacks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-08-23T14:28:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-1024x152.webp\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"How To Manipulate The Execution Flow Of TOCTOU Attacks\",\"datePublished\":\"2024-08-23T14:28:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/\"},\"wordCount\":2754,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks.jpg\",\"keywords\":[\"headline,hacker,flaw\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/\",\"name\":\"How To Manipulate The Execution Flow Of TOCTOU Attacks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks.jpg\",\"datePublished\":\"2024-08-23T14:28:25+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks.jpg\",\"width\":1024,\"height\":152},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-manipulate-the-execution-flow-of-toctou-attacks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,flaw\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackerflaw\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How To Manipulate The Execution Flow Of TOCTOU Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How To Manipulate The Execution Flow Of TOCTOU Attacks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/","og_locale":"en_US","og_type":"article","og_title":"How To Manipulate The Execution Flow Of TOCTOU Attacks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-08-23T14:28:25+00:00","og_image":[{"url":"https:\/\/oliviagallucci.com\/wp-content\/uploads\/2024\/08\/format-ipcs-m-1024x152.webp","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"How To Manipulate The Execution Flow Of TOCTOU Attacks","datePublished":"2024-08-23T14:28:25+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/"},"wordCount":2754,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/08\/how-to-manipulate-the-execution-flow-of-toctou-attacks.jpg","keywords":["headline,hacker,flaw"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/","url":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/","name":"How To Manipulate The Execution Flow Of TOCTOU Attacks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/08\/how-to-manipulate-the-execution-flow-of-toctou-attacks.jpg","datePublished":"2024-08-23T14:28:25+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/08\/how-to-manipulate-the-execution-flow-of-toctou-attacks.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/08\/how-to-manipulate-the-execution-flow-of-toctou-attacks.jpg","width":1024,"height":152},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/how-to-manipulate-the-execution-flow-of-toctou-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,flaw","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackerflaw\/"},{"@type":"ListItem","position":3,"name":"How To Manipulate The Execution Flow Of TOCTOU Attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56915","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56915"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56915\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/56916"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}