CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-61: UNIX Symbolic Link (Symlink) Following

 
UNIX Symbolic Link (Symlink) Following
Compound Element ID: 61 (Compound Element Variant: Composite)Status: Incomplete
+ Description

Description Summary

The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

Extended Description

A software system that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.

+ Alternate Terms
Symlink following
symlink vulnerability
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Modes of Introduction

These are typically reported for temporary files or privileged programs.

+ Common Consequences
ScopeEffect

Technical Impact: Read files or directories; Modify files or directories

+ Likelihood of Exploit

High to Very High

+ Observed Examples
ReferenceDescription
Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.
Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.
Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.
Symlink attack allows local users to overwrite files.
Possible interesting example
Second-order symlink vulnerabilities
Second-order symlink vulnerabilities
Symlink in Python program
Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
Signal causes a dump that follows symlinks.
+ Potential Mitigations

Phase: Implementation

Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.

Phase: Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

+ Weakness Ordinalities
OrdinalityDescription
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
RequiresWeakness ClassWeakness Class216Containment Errors (Container Errors)
Research Concepts1000
RequiresCategoryCategory275Permission Issues
Research Concepts1000
RequiresWeakness ClassWeakness Class340Predictability Problems
Research Concepts1000
RequiresWeakness ClassWeakness Class362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Research Concepts1000
RequiresWeakness BaseWeakness Base386Symbolic Name not Mapping to Correct Object
Research Concepts1000
ChildOfWeakness BaseWeakness Base59Improper Link Resolution Before File Access ('Link Following')
Research Concepts (primary)1000
ChildOfCategoryCategory60UNIX Path Link Problems
Resource-specific Weaknesses (primary)631
Development Concepts (primary)699
+ Research Gaps

Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported.

"Second-order symlink vulnerabilities" may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used. Reference: [Christey2005]

+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUNIX symbolic link following
+ References
Steve Christey. "Second-Order Symlink Vulnerabilities". Bugtraq. 2005-06-07. <http://www.securityfocus.com/archive/1/401682>.
Shaun Colley. "Crafting Symlinks for Fun and Profit". Infosec Writers Text Library. 2004-04-12. <http://www.infosecwriters.com/texts.php?op=display&id=159>.
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 9, "Symbolic Link Attacks", Page 518.. 1st Edition. Addison Wesley. 2006.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-09-08MITREInternal
updated Relationships, Observed_Example, Other_Notes, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities
2008-10-14MITREInternal
updated Description
2009-07-27MITREInternal
updated Observed_Examples
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Observed_Examples, References
2012-10-30MITREInternal
updated Potential_Mitigations
2014-06-23MITREInternal
updated Modes_of_Introduction, Other_Notes
Page Last Updated: June 23, 2014