🛡️ Free practice test question from: TOCTOUC vulnerability (Security+)

A) involves environment variable manipulation, which is a different attack vector and does not directly exploit the timing between the integrity check and file usage.

B) suggests replacing the file immediately after the check, but without using symbolic links, it may be more detectable and less reliable due to the precise timing required.

→ Direct file replacement involves physically removing or overwriting the original file with a malicious one during the TOCTOU window. This requires extremely precise timing.

→ A symlink avoids this tight timing dependency because creating or modifying a symlink is a lightweight and almost instantaneous operation.

→ Many systems or applications use file-locking mechanisms to prevent a file from being modified while it is being accessed.

→ Symlinks are typically not subject to file locking. Even if the target file is locked, the attacker can change the symlink to point to a malicious file without interference.

→ Direct replacing involves multiple detectable actions, increasing the likelihood of failure or logging.

→ Symlink minimizing detectable actions (single system call for symlink manipulation).

C) correctly describes a symbolic link (symlink) attack, where the attacker replaces the legitimate configuration file with a symlink to a malicious file during the narrow window between the integrity check and the file's usage by the application. This method leverages the TOCTOU vulnerability effectively.

D) involves shared memory manipulation, which is not directly related to the file integrity check and usage described in the scenario.