uutils coreutils cp Utility TOCTOU Vulnerability Allows Bypassing Symbolic Link No-Dereference Intent

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in the cp utility of uutils coreutils. This vulnerability allows an attacker to bypass the no-dereference intent when handling symbolic links. The issue arises because the cp utility first checks if a source path is a symbolic link using metadata that follows the link, but then opens the file without the O_NOFOLLOW flag. An attacker with concurrent write access can exploit this timing window by replacing a regular file with a symbolic link to a sensitive target, causing a privileged cp process to inadvertently copy the contents of sensitive files to a location controlled by the attacker.

Impact

Exploitation of this vulnerability could lead to unauthorized copying of sensitive files into a destination controlled by the attacker.

Reproduction

To reproduce this vulnerability, create a source directory under the attacker's control and a destination directory. While a cp command is executed on a file in the source directory, a second process can concurrently swap that file between a regular file and a symbolic link pointing to a sensitive target. This timing manipulation can result in the cp command copying the contents of the linked file to the destination.