Time of Check Time of Use (TOCTOU)

Affecting chownr package, versions <0.0.0

Do your applications use this vulnerable package? Test your applications

Amendment

This was deemed not a vulnerability.

Overview

chownr is a package that takes the same arguments as fs.chown()

Affected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU).

Information: Maintainers Advice

There is no readdir that will succeed on actual directories, and fail on symlinks to directories. The basic flow would be:

1) Read a directory, get a list of items 2) One of those items is a directory 3) After the initial readdir (or readdir+lstat), but before the directory traversal, an attacker moves the directory aside and replaces it with a symbolic link to some other directory. 4) The script will proceed to change ownership of all items in the symlink target directory.

There is no readdir(3) call that will succeed on a "real" directory, but fail on a symbolic link to a directory. What that means is that there is no atomic way to verify that, at the exact time of reading a directory, it's a real directory and not a symlink to somewhere else.

That being the case there will always be a TOCTOU issue for any recursive filesystem operation that traverses directories making changes at each level.

Remediation

There is no fixed version for chownr.

References

CVSS Score

2.9
low severity
  • Attack Vector
    Local
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L
Credit
Jeff Epler
CWE
CWE-264
Snyk ID
SNYK-JS-CHOWNR-73502
Disclosed
31 Jul, 2018
Published
11 Jan, 2019