A flaw in Rust Programming language could allow to delete files and directories

The maintainers of the Rust programming language fixed a high-severity flaw that could allow attackers to delete files and directories from a vulnerable system.

The maintainers of the Rust programming language have released a security update for a high-severity vulnerability, tracked as CVE-2022-21658. An attacker can trigger the vulnerability to delete files and directories from a vulnerable system.

“The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable a race condition enabling symlink following (CWE-363).” reads the advisory published by maintainers of the programming language. “An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn’t otherwise access or delete.”

The vulnerability affects Rust 1.0.0 through Rust 1.58.0, it was addressed with the release of Rust version 1.58.1 shipped last week.

An attacker with an unprivileged access to a system that wants to delete a system directory called sensitive/, for which he doesn’t’ have the permissions to do so, he could find a privileged program that removes a directory he has access to (called temp/), create a symlink from temp/foo to sensitive/, and wait for the privileged program to delete foo/. The privileged program would follow the symlink from temp/foo to sensitive/ while recursively deleting, resulting in sensitive/ being deleted.

The advisory states that std::fs::remove_dir_all already includes protection against recursively deleting symlinks, but they are not correctly implemented.

“Unfortunately that check was implemented incorrectly in the standard library, resulting in a TOCTOU (Time-of-check Time-of-use) race condition. Instead of telling the system not to follow symlinks, the standard library first checked
whether the thing it was about to delete was a symlink, and otherwise it would proceed to recursively delete the directory.” continues the advisory. “This exposed a race condition: an attacker could create a directory and replace
it with a symlink between the check and the actual deletion. While this attack likely won’t work the first time it’s attempted, in our experimentation we were able to reliably perform it within a couple of seconds.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Rust programming language)

[adrotate banner=”5″]

[adrotate banner=”13″]