CAPEC-132 - Symlink Attack

An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 3
  • Spoofing
  • Analysis
  • Time and State
  • Purposes 2
  • Exploitation
  • Penetration
  • Scopes 11
  • "Varies by context"
  • Confidentiality
  • Modify files or directories
  • Integrity
  • Read files or directories
  • Confidentiality
  • Modify application data
  • Integrity
  • Read memory
  • Confidentiality
  • Modify memory
  • Integrity
  • Read application data
  • Confidentiality
  • Execute unauthorized code or commands
  • Authorization
  • Gain privileges / assume identity
  • Non-Repudiation
  • Authorization
  • Authentication
  • Accountability
  • Bypass protection mechanism
  • Authorization
  • Access_Control
  • DoS: instability
  • DoS: crash / exit / restart
  • Availability

Low level: To create symlinks

High level: To identify the files and create the symlinks during the file operation time window

The targeted application must perform the desired activities on a file without checking whether the file is a symbolic link or not. The attacker must be able to predict the name of the file the target application is modifying and be able to create a new symbolic link where that file would appear.

No special resources are required beyond the ability to create the necessary symbolic link.

Step 1 - Identify Target

Attacker identifies the target application by determining whether there is sufficient check before writing data to a file and creating symlinks to files in different directories..

Tecnique ID: 1 - Environment(s) env-Local

The attacker writes to files in different directories to check whether the application has sufficient checking before file operations.

Tecnique ID: 2 - Environment(s) env-Local

The attacker creates symlinks to files in different directories.

Indicator ID: 1 - Environment(s) env-Local

Type: Positive

The application does not check whether the file is a symlink or not before writing data to it.

Indicator ID: 2 - Environment(s) env-Local

Type: Positive

The system allows creating symlinks.

Indicator ID: 3 - Environment(s) env-Local

Type: Inconclusive

Some directories do not allow creating symlink.

Indicator ID: 4 - Environment(s) env-Local

Type: Negative

The application checks whether the file is a symlink or not before writing data to it.


Security Control ID: 1

Type: Preventative

Perform checks on files to be handled: a) check for existence of file; b) check for symlinks; c) check for hard links.


Outcome ID: 1

Type: Success

The application does not check whether the file is a symlink or not before writing data to it and the attacker can create symlinks to the files.



Step 1 - Try to create symlinks to different files

The attacker then uses a variety of techniques, such as monitoring or guessing to create symlinks to the files accessed by the target application in the directories which are identified in the explore phase..

Tecnique ID: 1 - Environment(s) env-Local

The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using "sleep(2)" and "usleep()" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.

Tecnique ID: 2 - Environment(s) env-Local

The attacker may need a little guesswork on the filenames on which the target application would operate.

Tecnique ID: 3 - Environment(s) env-Local

The attacker tries to create symlinks to the various filenames.

Indicator ID: 1 - Environment(s) env-Local

Type: Positive

The attacker can create symlinks to the files in the target directories.


Security Control ID: 1

Type: Preventative

Perform checks on files to be handled for existence, symlinks or hard links.

Security Control ID: 2

Type: Preventative

Give the sensitive files restricted permissions.


Outcome ID: 1

Type: Success

The attacker creates symlink to the files while the target application is operating on the file.



Step 1 - Target application operates on created symlinks to sensitive files

The attacker is able to create symlinks to sensitive files while the target application is operating on the file..

Tecnique ID: 1 - Environment(s) env-Local

Create the symlink to the sensitive file such as configuration files, etc.

Security Control ID: 1

Type: Preventative

Perform checks on files to be handled for existence, symlinks or hard links.

Security Control ID: 2

Type: Preventative

Give sensitive files restricted permissions.

Security Control ID: 3

Type: Preventative

Generate semi-random filenames and add the "O_CREAT|O_EXCL" flags to any "open()" calls made.


Outcome ID: 1

Type: Success

The attacker creates symlinks to sensitive files and the target application operates on them leading to a breach in the security assumptions of the target application.



Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them.

Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions.