symlinkt
Symlink Traversal
Symlink traversal attacks take advantage of programs that unsafely follow symbolic links. A symbolic link, or soft link, is a file/directory that is a reference to another file/directory. When accessing the link, the referenced file/directory will be the actual object accessed. Symlinks can link to any file system, no matter if the user creating the link has permissions to the endpoint.
An attacker can exploit this to access prohibited files by providing symlinks to programs that have access to those files.
Attack Vector
There are two attack vectors:
-
The attacker creates a symlink to a file or directory they do not have access to and passes it to a program or user that has permissions to the file/directory. The symlink will bypass any file name checks and the target file will be successfully used or executed by the program or user. The supplying of the symlink by the attacker can occur through various forms of user input.
-
A program relies on the contents of a file during execution. While the program is running, right when it accesses the file, the attacker creates a symlink from this necessary file to a different, malicious file. The program will follow the symlink and unexpectedly work with the malicious file.
Impact
Symlink traversal attacks result in elevation of privilege. The attacker can gain access to files or directories they do not have permissions to and use them to bypass permission checks or cause unexpected behaviors in the program.
Attack Examples
Example 1
A program creates a new file to store metadata on a user when they create a new account and uses the user's username as the file name. An attacker can exploit this by creating a new account and while the program is running, creating a symlink from a file named by their username, the same as what will be used by the program, to /etc/passwd. When the program tries to create the users file, it follows the symlink to /etc/passwd and overwrites this file instead.
Example 2
There exists a program that takes in a file with a user's password for authentication (just for the purposes of this example). An attacker who knows where another user's authentication file exists can create a symlink in their directory to this file. They can then pass this symlink to the program, which doesn't sanitize the symlink, follows it, and authenticates the attacker as the other user.
Defenses
To defend against symlink traversal attacks, sanitize the entire path. This means parsing the symlink into its actual target path and then checking this for unexpected inputs. For certain symlink attacks, it is also important to have proper permissions set for files used by the program so that they cannot be overwritten.
Tips for Demonstration
To demonstrate a symlink traversal attack, provide the symbolic link you created (give the target file/directory and the link), where it is used in the handin program, and what you were able to accomplish with it.
Other resources
On symbolic links:
https://man7.org/linux/man-pages/man7/symlink.7.html
https://en.wikipedia.org/wiki/Symbolic_link
On symbolic link vulnerabilities:
https://capec.mitre.org/data/definitions/132.html
https://cwe.mitre.org/data/definitions/61.html
https://www.cybrary.it/blog/2019/07/symlink-attacks/
https://nixhacker.com/understanding-and-exploiting-symbolic-link-in-windows/
srowley1, wschor