CAPEC-132

Symlink Attack
Bas
Haute
Draft
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Gestion des notifications

Descriptions du CAPEC

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

Informations du CAPEC

Flux d'exécution

1) Explore

[Identify Target] Adversary identifies the target application by determining whether there is sufficient check before writing data to a file and creating symlinks to files in different directories.

Technique
  • The adversary writes to files in different directories to check whether the application has sufficient checking before file operations.
  • The adversary creates symlinks to files in different directories.
2) Experiment

[Try to create symlinks to different files] The adversary then uses a variety of techniques, such as monitoring or guessing to create symlinks to the files accessed by the target application in the directories which are identified in the explore phase.

Technique
  • The adversary monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the adversary can delay the operations by using "sleep(2)" and "usleep()" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.
  • The adversary may need a little guesswork on the filenames on which the target application would operate.
  • The adversary tries to create symlinks to the various filenames.
3) Exploit

[Target application operates on created symlinks to sensitive files] The adversary is able to create symlinks to sensitive files while the target application is operating on the file.

Technique
  • Create the symlink to the sensitive file such as configuration files, etc.

Conditions préalables

The targeted application must perform the desired activities on a file without checking whether the file is a symbolic link or not. The adversary must be able to predict the name of the file the target application is modifying and be able to create a new symbolic link where that file would appear.

Compétences requises

To create symlinks
To identify the files and create the symlinks during the file operation time window

Ressources nécessaires

None: No specialized resources are required to execute this type of attack. The only requirement is the ability to create the necessary symbolic link.

Atténuations

Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them.
Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions.

Faiblesses connexes

CWE-ID Nom de la faiblesse

CWE-59

Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Références

REF-13

Crafting Symlinks for Fun and Profit
Shaun Colley.
http://www.infosecwriters.com/texts.php?op=display&id=159

Soumission

Nom Organisation Date Date de publication
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Nom Organisation Date Commentaire
CAPEC Content Team The MITRE Corporation 2015-11-09 +00:00 Updated References
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Resources_Required
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Consequences
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Taxonomy_Mappings
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Example_Instances, Execution_Flow, Extended_Description, Prerequisites
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Example_Instances