Home > CAPEC List > CAPEC-45: Buffer Overflow via Symbolic Links (Version 2.6)  

CAPEC-45: Buffer Overflow via Symbolic Links

 
Buffer Overflow via Symbolic Links
Definition in a New Window Definition in a New Window
Attack Pattern ID: 45
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.

+ Attack Execution Flow
Exploit
  1. The attacker creates or modifies a symbolic link pointing to a resources (e.g., file, directory). The content of the symbolic link file includes out-of-bounds (e.g. excessive length) data.

  2. The target host consumes the data pointed to by the symbolic link file. The target host may either intentionally expect to read a symbolic link or it may be fooled by the replacement of the original resource and read the attackers' symbolic link.

  3. While consuming the data, the target host does not check for buffer boundary which can lead to a buffer overflow. If the content of the data is controlled by the attacker, this is an avenue for remote code execution.

+ Attack Prerequisites
  • The attacker can create symbolic link on the target host.

  • The target host does not perform correct boundary checking while consuming data from a resources.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
  • Modification of Resources
+ Examples-Instances

Description

The EFTP server has a buffer overflow that can be exploited if an attacker uploads a .lnk (link) file that contains more than 1,744 bytes. This is a classic example of an indirect buffer overflow. First the attacker uploads some content (the link file) and then the attacker causes the client consuming the data to be exploited. In this example, the ls command is exploited to compromise the server software.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

Skill or Knowledge Level: High

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

+ Probing Techniques

The attacker will look for temporary files in the world readable directories. Those temporary files are often created and read by the system.

The attacker will look for Symbolic link or link target file that she can override.

+ Indicators-Warnings of Attack

An attacker creating or modifying Symbolic links is a potential signal of attack in progress.

An attacker deleting temporary files can also be a sign that the attacker is trying to replace legitimate resources with malicious ones.

+ Solutions and Mitigations

Pay attention to the fact that the resource you read from can be a replaced by a Symbolic link. You can do a Symlink check before reading the file and decide that this is not a legitimate way of accessing the resource.

Because Symlink can be modified by an attacker, make sure that the ones you read are located in protected directories.

Pay attention to the resource pointed to by your symlink links (See attack pattern named "Forced Symlink race"), they can be replaced by malicious resources.

Always check the size of the input data before copying to a buffer.

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
Integrity
Modify memory
+ Injection Vector

The resource pointed to by the Symbolic link (e.g., file, directory, etc.)

+ Payload

The buffer overrun by the attacker.

+ Activation Zone

When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.

+ Payload Activation Impact

The most common is remote code execution.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
C
C++
+ References
[R.45.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.45.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-119: Buffer Errors. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/119.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated: December 04, 2014