UNIX Symbolic Link (Symlink) Following
Compound Element ID: 61 (Compound Element Variant: Composite)Status: Incomplete
+ Description

Description Summary

The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

Extended Description

A software system that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.

+ Alternate Terms
Symlink following
symlink vulnerability
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Likelihood of Exploit

High to Very High

+ Observed Examples
ReferenceDescription
CVE-1999-1386
CVE-2000-1178
CVE-2004-0217
CVE-2003-0517
CVE-2004-0689Possible interesting example
CVE-2005-1879Second-order symlink vulnerabilities
CVE-2005-1880Second-order symlink vulnerabilities
CVE-2005-1916Symlink in Python program
CVE-2000-0972Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
CVE-2005-0824Signal causes a dump that follows symlinks.
+ Potential Mitigations

Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.

Follow the principle of least privilege when assigning access rights to files. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

+ Other Notes

Fault: filename predictability, insecure directory permissions, non-atomic operations, race condition.

These are typically reported for temporary files or privileged programs.

+ Weakness Ordinalities
OrdinalityDescription
Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
RequiresWeakness ClassWeakness Class216Containment Errors (Container Errors)
Research Concepts1000
RequiresCategoryCategory275Permission Issues
Research Concepts1000
RequiresWeakness ClassWeakness Class340Predictability Problems
Research Concepts1000
RequiresWeakness ClassWeakness Class362Race Condition
Research Concepts1000
RequiresWeakness BaseWeakness Base386Symbolic Name not Mapping to Correct Object
Research Concepts1000
ChildOfWeakness BaseWeakness Base59Improper Link Resolution Before File Access ('Link Following')
Research Concepts (primary)1000
ChildOfCategoryCategory60UNIX Path Link Problems
Resource-specific Weaknesses (primary)631
Development Concepts (primary)699
+ Research Gaps

Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported.

"Second-order symlink vulnerabilities" may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used. Reference: [Christey2005]

+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUNIX symbolic link following
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
27Leveraging Race Conditions via Symbolic Links
+ References
Steve Christey. "Second-Order Symlink Vulnerabilities". Bugtraq. 2005-06-07. <http://www.securityfocus.com/archive/1/401682>.
Shaun Colley. "Crafting Symlinks for Fun and Profit". Infosec Writers Text Library. 2004-04-12. <http://www.infosecwriters.com/texts.php?op=display&id=159>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Observed Example, Other Notes, Research Gaps, Taxonomy Mappings, Weakness Ordinalities
2008-10-14CWE Content TeamMITREInternal
updated Description
2009-07-27CWE Content TeamMITREInternal
updated Observed Examples
Back to top