[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

UNIX Symbolic Link (Symlink) Following

ID: 61Date: (C)2012-05-14   (M)2012-11-08
Type: compound elementStatus: INCOMPLETE
Abstraction Type: Variant





Description

The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

Likelihood of Exploit: High to Very High

Applicable Platforms
Language Class: All

Time Of Introduction

  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
Integrity
 
Read files or directories
Modify files or directories
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.
 
  
Architecture and Design
 
Separation of Privilege
 
Follow the principle of least privilege when assigning access rights to entities in a software system.
Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
 
  

Relationships

Related CWETypeViewChain
CWE-61 Requires CWE-275 Category CWE-1000  

Demonstrative Examples
None

Observed Examples

  1. CVE-1999-1386 : Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.
  2. CVE-2000-1178 : Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.
  3. CVE-2004-0217 : Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.
  4. CVE-2003-0517 : Symlink attack allows local users to overwrite files.
  5. CVE-2004-0689 : Possible interesting example
  6. CVE-2005-1879 : Second-order symlink vulnerabilities
  7. CVE-2005-1880 : Second-order symlink vulnerabilities
  8. CVE-2005-1916 : Symlink in Python program
  9. CVE-2000-0972 : Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
  10. CVE-2005-0824 : Signal causes a dump that follows symlinks.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  UNIX symbolic link following
 
 

References:

  1. Steve Christey .Second-Order Symlink Vulnerabilities. Bugtraq. 2005-06-07.
  2. Shaun Colley .Crafting Symlinks for Fun and Profit. Infosec Writers Text Library. 2004-04-12.
  3. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 9, "Symbolic Link Attacks", Page 518.'. Published on 2006.

© 2013 SecPod Technologies