CWE-59 在文件访问前对链接解析不恰当(链接跟随)
Improper Link Resolution Before File Access ('Link Following')
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: Medium
基本描述
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 706 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 706 cwe_View_ID: 1003 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
Operating_System: [{'cwe_Class': 'Windows', 'cwe_Prevalence': 'Sometimes'}, {'cwe_Class': 'Unix', 'cwe_Prevalence': 'Often'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Confidentiality', 'Integrity', 'Access Control'] | ['Read Files or Directories', 'Modify Files or Directories', 'Bypass Protection Mechanism'] | An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism. |
| Other | Execute Unauthorized Code or Commands | Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution. |
检测方法
Automated Static Analysis - Binary or Bytecode
According to SOAR, the following detection techniques may be useful:
Cost effective for partial coverage:
- Bytecode Weakness Analysis - including disassembler + source code weakness analysis
Manual Static Analysis - Binary or Bytecode
According to SOAR, the following detection techniques may be useful:
Cost effective for partial coverage:
- Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
Dynamic Analysis with Automated Results Interpretation
According to SOAR, the following detection techniques may be useful:
Cost effective for partial coverage:
- Web Application Scanner
- Web Services Scanner
- Database Scanners
Dynamic Analysis with Manual Results Interpretation
According to SOAR, the following detection techniques may be useful:
Cost effective for partial coverage:
- Fuzz Tester
- Framework-based Fuzzer
Manual Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
Highly cost effective:
- Focused Manual Spotcheck - Focused manual analysis of source
- Manual Source Code Review (not inspections)
Automated Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
Cost effective for partial coverage:
- Source code Weakness Analyzer
- Context-configured Source Code Weakness Analyzer
Architecture or Design Review
According to SOAR, the following detection techniques may be useful:
Highly cost effective:
- Formal Methods / Correct-By-Construction
Cost effective for partial coverage:
- Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
可能的缓解方案
MIT-48.1 Architecture and Design
策略: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-1999-1386 | Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1386 |
| CVE-2000-1178 | Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1178 |
| CVE-2004-0217 | Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0217 |
| CVE-2003-0517 | Symlink attack allows local users to overwrite files. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0517 |
| CVE-2004-0689 | Window manager does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0689 |
| CVE-2005-1879 | Second-order symlink vulnerabilities | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1879 |
| CVE-2005-1880 | Second-order symlink vulnerabilities | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1880 |
| CVE-2005-1916 | Symlink in Python program | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1916 |
| CVE-2000-0972 | Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0972 |
| CVE-2005-0824 | Signal causes a dump that follows symlinks. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0824 |
| CVE-2001-1494 | Hard link attack, file overwrite; interesting because program checks against soft links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1494 |
| CVE-2002-0793 | Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0793 |
| CVE-2003-0578 | Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0578 |
| CVE-1999-0783 | Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0783 |
| CVE-2004-1603 | Web hosting manager follows hard links, which allows local users to read or modify arbitrary files. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1603 |
| CVE-2004-1901 | Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1901 |
| CVE-2005-1111 | Hard link race condition | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1111 |
| CVE-2000-0342 | Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment." | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0342 |
| CVE-2001-1042 | FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1042 |
| CVE-2001-1043 | FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1043 |
| CVE-2005-0587 | Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0587 |
| CVE-2001-1386 | ".LNK." - .LNK with trailing dot | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386 |
| CVE-2003-1233 | Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1233 |
| CVE-2002-0725 | File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0725 |
| CVE-2003-0844 | Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0844 |
Notes
Relationship
Research Gap UNIX hard links, and Windows hard/soft links are under-studied and under-reported.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Link Following | ||
| CERT C Secure Coding | FIO02-C | Canonicalize path names originating from untrusted sources | |
| CERT C Secure Coding | POS01-C | Check for the existence of links when dealing with files | |
| SEI CERT Perl Coding Standard | FIO01-PL | CWE More Specific | Do not operate on files that can be modified by untrusted users |
| Software Fault Patterns | SFP18 | Link in resource name resolution |
相关攻击模式
- CAPEC-132
- CAPEC-17
- CAPEC-35
- CAPEC-76