A race condition attack happens when a computing system that’s designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously. This technique takes advantage of a time gap between the moment a service is initiated and the moment a security control takes effect. This attack, which depends on multithreaded applications, can be delivered in one of two ways: interference caused by untrusted processes (essentially a piece of code that slips into a sequence between steps of a secure programs), and interference caused by a trusted process, which may have the "same'' privileges. Without proper controls, different processes can interfere with each other. Other names used to refer to this vulnerability include Time of Check/Time of Use or TOC/TOU attacks.
What Happens During a Race Condition Attack?
Web applications, file systems, and networking environments are all vulnerable to a race condition attack. Attackers might target an access control list (ACL), a payroll or human resources database, a transactional system, a financial ledger, or some other data repository. Although race condition attacks don’t happen frequently — because they’re relatively difficult to engineer and attackers must exploit a very brief window of opportunity — when they do happen, they can lead to serious repercussions, including a system granting unauthorized privileges. What’s more, race condition attacks are inherently difficult to detect.
Anatomy of an Race Condition Flaw
When a normal update to an application or database takes place — and names, numbers, or other data are changed to reflect the most current state of information — a cybercriminal could unleash a race condition attack. This is possible because the database isn’t completely rewritten during the update process. As the update takes place, a gap exists, one that can last less than a second or up to a few minutes, during which the system is unprotected. This allows attackers to gain unauthorized access. During this brief period, an attacker can send queries that compromise the system and result in a race condition attack.
Impact of a Race Condition Attack
Bir saldırgan bir yarış koşulu saldırısı kullanarak bir sistemi ihlal ettiğinde, verileri değiştirmek, manipüle etmek veya çalmak, ayrıcalıklarda değişiklik yapmak, kötü niyetli kod eklemek, bir hizmet reddi (DoS) saldırısını serbest bırakmak ve güvenlik kontrollerini devre dışı bırakmak mümkündür. Bir yarış durumu saldırısı, API'leri de kapsayabilir. Yüksek profilli bir vakada FBI, saldırganların Kaliforniya ve Nevada'daki kumarhanelerde nakit avans ATM kioskları kullanarak Citibank'tan 1 milyon dolardan fazla para çalmak için bu yöntemi kullandığını bildirdi. Saldırganlar, 60 saniyelik bir zaman aralığı içinde neredeyse aynı sorguları gönderdiler.[/HIDE]
