CWE-59 在文件访问前对链接解析不恰当(链接跟随)

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: Medium

基本描述

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 706 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 706 cwe_View_ID: 1003 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

Operating_System: [{'cwe_Class': 'Windows', 'cwe_Prevalence': 'Sometimes'}, {'cwe_Class': 'Unix', 'cwe_Prevalence': 'Often'}]

常见的影响

范围 影响 注释
['Confidentiality', 'Integrity', 'Access Control'] ['Read Files or Directories', 'Modify Files or Directories', 'Bypass Protection Mechanism'] An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
Other Execute Unauthorized Code or Commands Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.

检测方法

Automated Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Bytecode Weakness Analysis - including disassembler + source code weakness analysis

Manual Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Automated Results Interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Web Application Scanner
  • Web Services Scanner
  • Database Scanners

Dynamic Analysis with Manual Results Interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Fuzz Tester
  • Framework-based Fuzzer

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Focused Manual Spotcheck - Focused manual analysis of source
  • Manual Source Code Review (not inspections)

Automated Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Source code Weakness Analyzer
  • Context-configured Source Code Weakness Analyzer

Architecture or Design Review

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Formal Methods / Correct-By-Construction
Cost effective for partial coverage:
  • Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

可能的缓解方案

MIT-48.1 Architecture and Design

策略: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

分析过的案例

标识 说明 链接
CVE-1999-1386 Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1386
CVE-2000-1178 Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1178
CVE-2004-0217 Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0217
CVE-2003-0517 Symlink attack allows local users to overwrite files. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0517
CVE-2004-0689 Window manager does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0689
CVE-2005-1879 Second-order symlink vulnerabilities https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1879
CVE-2005-1880 Second-order symlink vulnerabilities https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1880
CVE-2005-1916 Symlink in Python program https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1916
CVE-2000-0972 Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0972
CVE-2005-0824 Signal causes a dump that follows symlinks. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0824
CVE-2001-1494 Hard link attack, file overwrite; interesting because program checks against soft links https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1494
CVE-2002-0793 Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0793
CVE-2003-0578 Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0578
CVE-1999-0783 Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0783
CVE-2004-1603 Web hosting manager follows hard links, which allows local users to read or modify arbitrary files. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1603
CVE-2004-1901 Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1901
CVE-2005-1111 Hard link race condition https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1111
CVE-2000-0342 Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment." https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0342
CVE-2001-1042 FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1042
CVE-2001-1043 FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1043
CVE-2005-0587 Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0587
CVE-2001-1386 ".LNK." - .LNK with trailing dot https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386
CVE-2003-1233 Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1233
CVE-2002-0725 File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0725
CVE-2003-0844 Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0844

Notes

Relationship

Research Gap UNIX hard links, and Windows hard/soft links are under-studied and under-reported.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Link Following
CERT C Secure Coding FIO02-C Canonicalize path names originating from untrusted sources
CERT C Secure Coding POS01-C Check for the existence of links when dealing with files
SEI CERT Perl Coding Standard FIO01-PL CWE More Specific Do not operate on files that can be modified by untrusted users
Software Fault Patterns SFP18 Link in resource name resolution

相关攻击模式

  • CAPEC-132
  • CAPEC-17
  • CAPEC-35
  • CAPEC-76

引用