CVE-2020-10174 in Timeshift
Summary
by MITRE
init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses directories owned by unprivileged users. Because Timeshift also executes scripts under this location, an attacker can attempt to win a race condition to replace scripts created by Timeshift with attacker-controlled scripts. Upon success, an attacker-controlled script is executed with full root privileges. This logic is practically always triggered when Timeshift runs regardless of the command-line arguments used.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/09/2024
The vulnerability identified as CVE-2020-10174 resides in the Timeshift backup utility version 20.03 and earlier, specifically within the TeeJee.FileSystem.vala component. This flaw represents a critical security weakness that allows privilege escalation through improper temporary directory handling. The issue manifests when the application initializes a temporary directory at the predictable path /tmp/timeshift, which creates a dangerous attack surface due to its insecure default location and lack of proper access controls.
The technical implementation of this vulnerability stems from the application's failure to properly secure temporary directory creation and management. The init_tmp function in Timeshift's filesystem handling code does not adequately validate or secure the /tmp/timeshift location, leaving it susceptible to symbolic link manipulation and directory ownership conflicts. This behavior directly violates security principles outlined in CWE-355, which addresses insufficient input validation and improper handling of temporary files. The predictable nature of the temporary directory path makes it particularly vulnerable to exploitation, as attackers can anticipate and target this specific location.
The operational impact of this vulnerability is severe and practically guaranteed to be exploitable during normal Timeshift operation. Since the problematic logic executes regardless of command-line arguments, any invocation of Timeshift creates an opportunity for exploitation. The vulnerability leverages a race condition attack vector where an unprivileged user can replace legitimate Timeshift-created scripts with malicious counterparts. This race condition exploitation capability aligns with ATT&CK technique T1059.001 for command and script injection, and T1068 for privilege escalation through local exploitation. The attacker's goal is to execute a malicious script with root privileges, effectively compromising the entire system.
The security implications extend beyond simple script execution, as this vulnerability represents a complete breakdown in privilege separation and sandboxing principles. The fact that Timeshift executes scripts from this location demonstrates a dangerous practice of executing untrusted code from insecure temporary directories. This flaw exemplifies the ATT&CK tactic T1078 for valid accounts and T1548 for abuse of privileges, as it allows attackers to gain root access through legitimate system utilities. The vulnerability's persistence across all command-line scenarios makes it particularly dangerous, as it cannot be avoided through proper usage or parameter selection, and represents a fundamental flaw in the application's security architecture that requires immediate remediation through proper temporary file handling and privilege management protocols.