Yt-grabber-tui TOCTOU Race Condition Vulnerability Allowing Arbitrary File Overwrite

A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability has been identified in yt-grabber-tui version 1.0, a C++ terminal user interface application for downloading YouTube content. The vulnerability arises in the handling of the default configuration file, config.json. In this version, the 'load_json_settings' function checks for the existence of config.json. If the file is absent, it calls 'create_json_settings', which writes the JSON configuration using 'boost::property_tree::write_json'. This creates a window of opportunity for a local attacker with write access to the application's configuration directory to introduce a symbolic link that redirects the write operation to an attacker-chosen file. This flaw enables arbitrary file overwriting within the application's process privileges, potentially leading to corruption of important files and loss of application or user data. If the application is run with elevated privileges, the impact could extend to critical system files.

Impact

Exploitation of this vulnerability allows for arbitrary file overwriting, which can corrupt files and result in the loss of application or user data. If yt-grabber-tui is executed with elevated privileges, this could lead to system file corruption.

Reproduction

The vulnerability can be reproduced by creating a symbolic link between the file existence check and the subsequent write operation of the configuration file. This can be done by manipulating the timing of the 'load_json_settings' function, which checks for the config.json file's existence and then writes to it. By introducing a symlink during this brief window, the 'write_json' function can be directed to overwrite a file of the attacker's choice.

Remediation

Users are advised to upgrade to yt-grabber-tui version 1.0.1 or later. The vulnerability has been fully patched in version 1.0.1 by implementing atomic file creation, ensuring that the JSON configuration is first written to a temporary file and then renamed to config.json in an atomic operation. This update eliminates the race condition, as the rename process is atomic on both POSIX and NTFS filesystems.