Agent skill

logic-vulnerabilities

File descriptor abuse, race conditions, and TOCTOU vulnerabilities

View SKILL.md on GitHub Repository
Stars 163
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/development/logic-vulnerabilities-amattas-agentic-coding

SKILL.md

Logic Vulnerabilities

Exploits targeting program logic rather than memory corruption.

1. File Descriptor (FD) Abuse

Concept: Manipulate which file a hardcoded FD refers to.

Signals:

  • Program uses constant FD (e.g., read(3, buf, n))
  • FD assignment can be influenced before target code runs

FD basics:

0 = stdin, 1 = stdout, 2 = stderr
3+ = assigned in order by open()

Approach A - Claim target FD:

1. Close lower FDs to influence assignment
2. Open desired file (gets lowest available FD)
3. dup2() to target FD number
4. Execute vulnerable program

Approach B - FD exhaustion:

1. Open many files to consume FD numbers
2. Next open() returns predictable FD

Approach C - Symlink redirection:

1. Program opens user-controlled path
2. Create symlink pointing to sensitive file

2. TOCTOU (Time-of-Check to Time-of-Use)

Concept: Change what a path refers to between validation and use.

Signals:

  • Check: stat(), access(), lstat()
  • Gap/delay
  • Use: open(), read(), exec()
  • Path-based (not FD-based) operations

The race window:

Victim:    [CHECK path] ----delay---- [USE path]
Attacker:              [SWAP target]

Approach A - Symlink race:

Thread 1: Rapidly flip symlink between allowed and sensitive targets
Thread 2: Repeatedly trigger victim until race succeeds

Approach B - Rename race:

Rapidly rename/swap files at target path

Improving success rate:

  • Multiple racing processes
  • Tune timing based on victim's check-use gap
  • Use inotify to detect access and trigger swap

Detection Patterns

FD abuse indicators:

c
// Hardcoded FD without validation
read(3, buf, size);

// Sequential FD assumption
int fd = open(path, O_RDONLY);
// Assumes fd == 3

TOCTOU indicators:

c
// Vulnerable: path-based check then use
if (access(path, R_OK) == 0) {
    fd = open(path, O_RDONLY);  // Race window!
}

// Safer: FD-based throughout
fd = open(path, O_RDONLY);
fstat(fd, &st);  // Uses FD, not path

Debugging

bash
# Trace FD operations
strace -e trace=open,openat,read,write,dup2 <program>

# Watch file access for timing
inotifywait -m <path> -e access

Pitfalls

Issue Cause Solution
O_NOFOLLOW Symlinks not followed Use rename instead
openat() FD-relative paths Target the directory FD
Atomic operations No race window Different approach needed
Low success rate Narrow window More processes, better timing

Didn't find tool you were looking for?

Be as detailed as possible for better results