CVE-2017-18018 in Coreutils
Summary
by MITRE
In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/09/2025
The vulnerability identified as CVE-2017-18018 affects GNU Coreutils version 8.29 and earlier, specifically within the chown and chgrp commands when utilizing the POSIX "-R -L" options. This flaw represents a critical race condition that enables local attackers to manipulate file ownership through a carefully orchestrated sequence of operations. The vulnerability stems from the improper handling of file system operations during recursive directory traversal when following symbolic links, creating an exploitable window where attackers can substitute target files with symbolic links to manipulate ownership assignments.
The technical implementation of this vulnerability resides in the chown-core.c file where the chown and chgrp utilities process recursive operations with the -R (recursive) and -L (follow symbolic links) flags simultaneously. During normal operation, these commands traverse directories recursively while following symbolic links to their targets. However, the flaw occurs when a file is being processed and the system allows for the possibility that the target file could be replaced with a symbolic link by an attacker between the time the command checks for the file's existence and the time it attempts to modify the file's ownership. This race condition creates a window where an attacker can manipulate the system to redirect ownership changes to unintended targets, potentially allowing privilege escalation or unauthorized access to sensitive files.
The operational impact of this vulnerability extends beyond simple file ownership manipulation, as it can be leveraged for privilege escalation attacks and arbitrary file access control modification. Attackers can exploit this flaw to change ownership of critical system files, configuration files, or files belonging to other users, potentially gaining elevated privileges or compromising system integrity. The vulnerability is particularly concerning because it operates at the system level where users with basic privileges can exploit it to affect files owned by other users or system processes. This race condition effectively allows attackers to bypass normal access controls and modify file permissions in ways that should normally be restricted to privileged users.
Security mitigations for CVE-2017-18018 should focus on updating to GNU Coreutils version 8.30 or later, where the race condition has been addressed through proper synchronization mechanisms during file system operations. Organizations should also implement monitoring for unusual chown and chgrp operations, particularly those involving recursive operations with symbolic link following, as these may indicate exploitation attempts. The vulnerability aligns with CWE-367, which describes the dangerous use of a function that can be exploited for time-of-check to time-of-use (TOCTOU) attacks, and relates to ATT&CK technique T1068, which involves exploiting vulnerabilities in system utilities for privilege escalation. System administrators should also consider implementing file integrity monitoring solutions to detect unauthorized changes to critical system files that might result from exploitation of this vulnerability, as the attack requires careful coordination of multiple system calls to achieve the desired effect of redirecting ownership changes to unintended targets.