Claude-skill-registry logic-vulnerabilities
File descriptor abuse, race conditions, and TOCTOU vulnerabilities
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/logic-vulnerabilities" ~/.claude/skills/majiayu000-claude-skill-registry-logic-vulnerabilities && rm -rf "$T"
manifest:
skills/data/logic-vulnerabilities/SKILL.mdtags
source content
Logic Vulnerabilities
Exploits targeting program logic rather than memory corruption.
1. File Descriptor (FD) Abuse
Concept: Manipulate which file a hardcoded FD refers to.
Signals:
- Program uses constant FD (e.g.,
)read(3, buf, n) - FD assignment can be influenced before target code runs
FD basics:
0 = stdin, 1 = stdout, 2 = stderr 3+ = assigned in order by open()
Approach A - Claim target FD:
1. Close lower FDs to influence assignment 2. Open desired file (gets lowest available FD) 3. dup2() to target FD number 4. Execute vulnerable program
Approach B - FD exhaustion:
1. Open many files to consume FD numbers 2. Next open() returns predictable FD
Approach C - Symlink redirection:
1. Program opens user-controlled path 2. Create symlink pointing to sensitive file
2. TOCTOU (Time-of-Check to Time-of-Use)
Concept: Change what a path refers to between validation and use.
Signals:
- Check:
,stat()
,access()lstat() - Gap/delay
- Use:
,open()
,read()exec() - Path-based (not FD-based) operations
The race window:
Victim: [CHECK path] ----delay---- [USE path] Attacker: [SWAP target]
Approach A - Symlink race:
Thread 1: Rapidly flip symlink between allowed and sensitive targets Thread 2: Repeatedly trigger victim until race succeeds
Approach B - Rename race:
Rapidly rename/swap files at target path
Improving success rate:
- Multiple racing processes
- Tune timing based on victim's check-use gap
- Use inotify to detect access and trigger swap
Detection Patterns
FD abuse indicators:
// Hardcoded FD without validation read(3, buf, size); // Sequential FD assumption int fd = open(path, O_RDONLY); // Assumes fd == 3
TOCTOU indicators:
// Vulnerable: path-based check then use if (access(path, R_OK) == 0) { fd = open(path, O_RDONLY); // Race window! } // Safer: FD-based throughout fd = open(path, O_RDONLY); fstat(fd, &st); // Uses FD, not path
Debugging
# Trace FD operations strace -e trace=open,openat,read,write,dup2 <program> # Watch file access for timing inotifywait -m <path> -e access
Pitfalls
| Issue | Cause | Solution |
|---|---|---|
| O_NOFOLLOW | Symlinks not followed | Use rename instead |
| openat() | FD-relative paths | Target the directory FD |
| Atomic operations | No race window | Different approach needed |
| Low success rate | Narrow window | More processes, better timing |