UNIX Symbolic Link (Symlink) Following |
Compound Element ID: 61 (Compound Element Variant: Composite) | Status: Incomplete |
Description Summary
Extended Description
A software system that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.
Reference | Description |
---|---|
CVE-1999-1386 | |
CVE-2000-1178 | |
CVE-2004-0217 | |
CVE-2003-0517 | |
CVE-2004-0689 | Possible interesting example |
CVE-2005-1879 | Second-order symlink vulnerabilities |
CVE-2005-1880 | Second-order symlink vulnerabilities |
CVE-2005-1916 | Symlink in Python program |
CVE-2000-0972 | Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. |
CVE-2005-0824 | Signal causes a dump that follows symlinks. |
Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files. |
Follow the principle of least privilege when assigning access rights to files. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. |
Fault: filename predictability, insecure directory permissions, non-atomic operations, race condition. These are typically reported for temporary files or privileged programs. |
Ordinality | Description |
---|---|
Resultant | (where the weakness is typically related to the presence of some other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
Requires | ![]() | 216 | Containment Errors (Container Errors) | Research Concepts1000 |
Requires | ![]() | 275 | Permission Issues | Research Concepts1000 |
Requires | ![]() | 340 | Predictability Problems | Research Concepts1000 |
Requires | ![]() | 362 | Race Condition | Research Concepts1000 |
Requires | ![]() | 386 | Symbolic Name not Mapping to Correct Object | Research Concepts1000 |
ChildOf | ![]() | 59 | Improper Link Resolution Before File Access ('Link Following') | Research Concepts (primary)1000 |
ChildOf | ![]() | 60 | UNIX Path Link Problems | Resource-specific Weaknesses (primary)631 Development Concepts (primary)699 |
Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. "Second-order symlink vulnerabilities" may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used. Reference: [Christey2005] |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
27 | Leveraging Race Conditions via Symbolic Links |
Steve Christey. "Second-Order Symlink Vulnerabilities". Bugtraq. 2005-06-07. <http://www.securityfocus.com/archive/1/401682>. |
Shaun Colley. "Crafting Symlinks for Fun and Profit". Infosec Writers Text Library. 2004-04-12. <http://www.infosecwriters.com/texts.php?op=display&id=159>. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Observed Example, Other Notes, Research Gaps, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Observed Examples |