Encontrou os detalhes aqui :
The
-execaction causes another program to be run. It passes to the program the name of the file which is being considered at the time. The invoked program will typically then perform some action on that file. Once again, there is a race condition which can be exploited here. We shall take as a specific example the commandfind /tmp -path /tmp/umsp/passwd -exec /bin/rmIn this simple example, we are identifying just one file to be deleted and invoking
/bin/rmto delete it. A problem exists because there is a time gap between the point where find decides that it needs to process the-execaction and the point where the/bin/rmcommand actually issues the unlink() system call to delete the file from the filesystem. Within this time period, an attacker can rename the/tmp/umspdirectory, replacing it with a symbolic link to/etc. There is no way for/bin/rmto determine that it is working on the same file that find had in mind. Once the symbolic link is in place, the attacker has persuaded find to cause the deletion of the/etc/passwdfile, which is not the effect intended by the command which was actually invoked.
Não tenho certeza da probabilidade de alguém poder explorar isso; mas eu acho que tem a resposta!