This attack leverages the use of symbolic links (Symlinks) in order to
write to sensitive files. An attacker can create a Symlink link to a target
file not otherwise accessible to her. When the privileged program tries to
create a temporary file with the same name as the Symlink link, it will
actually write to the target file pointed to by the attacker's Symlink link.
If the attacker can insert malicious content in the temporary file she will
be writing to the sensitive file by using the Symlink. The race occurs
because the system checks if the temporary file exists, then creates the
file. The attacker would typically create the Symlink during the interval
between the check and the creation of the temporary file.
Attack Execution Flow
Explore
Verify that target host's platform
supports symbolic links.:
This attack pattern is only applicable on
platforms that support symbolic links.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Research target platform to determine
whether it supports symbolic links.
env-Embedded env-Local
2
Create a symbolic link and ensure that it
works as expected on the given platform.
Target platform does not
support symbolic links (e.g. MS
Windows)
Examine application's file I/O
behavior:
Analyze the application's file I/O behavior to
determine where it stores files, as well as the
operations it performs to read/write files.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use kernel tracing utility such as ktrace to
monitor application behavior
env-Local
2
Use debugging utility such as File Monitor
to monitor the application's filesystem I/O
calls
env-Local
3
Watch temporary directories to see when
temporary files are created, modified and
deleted.
env-Embedded env-Local
4
Analyze source code for open-source systems
like Linux, Apache, etc.
env-Embedded env-Local
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Attacker can watch files being created,
modified and/or deleted by application.
env-Embedded env-Local
2
Inconclusive
Application does not seem to perform any
filesystem I/O operations.
env-Embedded env-Local
Outcomes
ID
Type
Outcome Description
1
Success
Attacker identifies at least
one reproducable file I/O operation performed by
the application.
2
Failure
Attacker cannot identify any
file I/O operations being performed by the
application.
Experiment
Verify ability to write to
filesystem:
The attacker verifies ability to write to the
target host's file system.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
-1
Create a file that does not exist in the
target directory (e.g. "touch temp.txt" in
UNIX-like systems)
env-Embedded env-Local
-1
On platforms that differentiate between file
creation and file modification, if the target file
that the application writes to already exists,
attempt to modify it.
env-Embedded env-Local
-1
Verify permissions on target
directory
env-Embedded env-Local
Indicators
ID
Type
Indicator Description
Environments
-1
Positive
Target directory is a globally writable temp
directory (e.g. /tmp in many UNIX-like
systems)
env-Embedded env-Local
-1
Positive
Target directory is writable by the
attacker's effective user ID.
env-Embedded env-Local
Outcomes
ID
Type
Outcome Description
0
Success
Attacker can create and modify
files in the target
directory.
0
Failure
Attacker cannot create or
modify files in the target
directory.
Security Controls
ID
Type
Security Control Description
0
Preventative
Store temporary files
in a directory with limited permissions where
malicious users cannot tamper with
them.
Exploit
Replace file with a symlink to a
sensitive system file.:
Between the time that the application checks to
see if a file exists (or if the user has access to
it) and the time the application actually opens the
file, the attacker replaces the file with a symlink
to a sensitive system file.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
-1
Create an infinite loop containing commands
such as "rm -f tempfile.dat; ln -s /etc/shadow
tempfile.dat". Wait for an instance where the
following steps occur in the given order: (1)
Application ensures that tempfile.dat exists and
that the user has access to it, (2) "rm -f
tempfile.dat; ln -s /etc/shadow tempfile.dat", and
(3) Application opens tempfile.dat for writing,
and inadvertently opens /etc/shadow for writing
instead.
env-Embedded env-Local
-1
Use other techniques with debugging tools to
replace the file between the time the application
checks the file and the time the application opens
it.
env-Embedded env-Local
Outcomes
ID
Type
Outcome Description
0
Success
Sensitive file tampered with
successfully.
0
Failure
Sensitive file could not be
tampered with.
Security Controls
ID
Type
Security Control Description
0
Preventative
Use file handles to
check existence of files, to check permissions and
to open them. Do not use filename except to obtain
a handle initially.
0
Preventative
Drop application's
permissions to the current user's permissions
before performing any file I/O operations (e.g.
using Process.as_uid() in
Ruby).
0
Corrective
Run application with
minimal permissions. In particular, avoid running
applications as root on UNIX-like systems and as
Administrator on Windows
systems.
Attack Prerequisites
The attacker is able to create Symlink links on the target host.
Tainted data from the attacker is used and copied to temporary
files.
The target host does insecure temporary file creation.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Time and State
Modification of Resources
Examples-Instances
Description
In this naive example, the Unix program foo is setuid. Its function is
to retrieve information for the accounts specified by the user. For
"efficiency," it sorts the requested accounts into a temporary file
(/tmp/foo naturally) before making the queries.
The directory /tmp is world-writable. Malicious user Mallory creates a
symbolic link to the file /.rhosts named /tmp/foo. Then, she invokes foo
with + + as the requested account. The program creates the (temporary)
file /tmp/foo (really creating /.rhosts) and puts the requested account
(+ +) in it. It removes the temporary file (merely removing the symbolic
link).
Now the /.rhosts contains + +, which is the incantation necessary to
allow anyone to use rlogin to log into the computer as the
superuser.
(Source : Wikipedia
(http://en.wikipedia.org/wiki/Symlink_race)).
Description
GNU ed before 0.3 allows local users to overwrite arbitrary files via
a symlink attack on temporary files, possibly in the open_sbuf
function.
Related Vulnerabilities
CVE-2006-6939
Description
OpenmosixCollector and OpenMosixView in OpenMosixView 1.5 allow local
users to overwrite or delete arbitrary files via a symlink attack on (1)
temporary files in the openmosixcollector directory or (2)
nodes.tmp.
Related Vulnerabilities
CVE-2005-0894
Description
Setuid product allows file reading by replacing a file being edited
with a symlink to the targeted file, leaking the result in error
messages when parsing fails.
Related Vulnerabilities
CVE-2000-0972
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
This attack is sophisticated because the attacker has to overcome a
few challenges such as creating symlinks on the target host during a
precise timing, inserting malicious data in the temporary file and have
knowledge about the temporary files created (file name and function
which creates them).
Probing Techniques
Description
The attacker will certainly look for file system locations where he
can write and create Symlink links.
Description
The attacker may also observe the system and locate the temporary
files created during a call to a certain function.
Solutions and Mitigations
Use safe libraries when creating temporary files. For instance the
standard library function mkstemp can be used to safely create temporary
files. For shell scripts, the system utility mktemp does the same
thing.
Access to the directories should be restricted as to prevent attackers
from manipulating the files. Denying access to a file can prevent an
attacker from replacing that file with a link to a sensitive file.
Follow the principle of least privilege when assigning access rights to
files.
Ensure good compartmentalization in the system to provide protected areas
that can be trusted.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Integrity
Modify application
data
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Availability
DoS: resource consumption
(other)
Injection Vector
The content of the temporary file which is copied to the file pointed to by
the Symlink.
Payload
The content of the file overwriten when writing to the Symlink.
Activation Zone
The new content of the targeted file.
Payload Activation Impact
Description
This attack can cause privilege escalation, modification of resources or
denial of services.
Description
