Windows Shortcut Following (.LNK)ID: 64 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
The software, when opening a file or directory, does not
sufficiently handle when the file is a Windows shortcut (.LNK) whose target is
outside of the intended control sphere. This could allow an attacker to cause
the software to operate on unauthorized files.
Extended DescriptionThe shortcut (file with the .lnk extension) can permit an attacker to
read/write a file that they originally did not have permissions to
access.
Likelihood of Exploit: Medium to High
Applicable PlatformsLanguage Class: AllOperating System Class: Windows
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
ConfidentialityIntegrity | Read files or
directoriesModify files or
directories | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | Separation of Privilege | Follow the principle of least privilege when assigning access rights
to entities in a software system.Denying access to a file can prevent an attacker from replacing that
file with a link to a sensitive file. Ensure good compartmentalization
in the system to provide protected areas that can be trusted. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-64 ChildOf CWE-893 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2000-0342 : Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment."
- CVE-2001-1042 : FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
- CVE-2001-1043 : FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
- CVE-2005-0587 : Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.
- CVE-2001-1386 : ".LNK." - .LNK with trailing dot
- CVE-2003-1233 : Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Windows Shortcut Following (.LNK) | |
CERT C Secure Coding | FIO05-C | Identify files using multiple file
attributes | |
CERT C++ Secure Coding | FIO05-CPP | Identify files using multiple file
attributes | |
References:None