Mojo-Vault presented itself as a hardened Bash script protected by an aggressive MD5 self-integrity mechanism. The script would hash itself upon execution; if a single byte was altered, it would immediately abort. However, close inspection of the bash logic revealed a critical architectural flaw: a Time-of-Check to Time-of-Use (TOCTOU) vulnerability.
During execution, the vault temporarily extracted vital dependency scripts to the /tmp directory before securely wiping them milliseconds later. I realized I could beat the cleanup routine by weaponizing a race condition.
I crafted a malicious bash loop using a named pipe (mkfifo) to intentionally stall the vault's input stream. While the vault hung waiting for input, the temporary files—including a highly sensitive boot.py—were sitting fully exposed in the /tmp directory. A secondary script snatched copies of the files before the vault resumed execution. Analyzing boot.py provided the master PIN, which, when base64-decoded, granted total system compromise.
Key Takeaways
- Integrity checks are useless if the runtime artifacts are not securely sandboxed. TOCTOU vulnerabilities in
/tmpextractions are highly lethal. - Named pipes (FIFOs) can be weaponized to indefinitely pause blocking scripts, breaking critical cleanup timing loops.