CWE-61 Detail

CWE-61

Name

UNIX Symbolic Link (Symlink) Following

Likelihood

High

Status

Incomplete

Published

2006-07-19
00h00 +00:00

Modified

2023-06-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

CWE Description

A product that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.

General Informations

Modes Of Introduction

Implementation : These are typically reported for temporary files or privileged programs.

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Confidentiality Integrity	Read Files or Directories, Modify Files or Directories

Observed Examples

References	Description
CVE-1999-1386	Some versions of Perl follow symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.
CVE-2000-1178	Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.
CVE-2004-0217	Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.
CVE-2003-0517	Symlink attack allows local users to overwrite files.
CVE-2004-0689	Possible interesting example
CVE-2005-1879	Second-order symlink vulnerabilities
CVE-2005-1880	Second-order symlink vulnerabilities
CVE-2005-1916	Symlink in Python program
CVE-2000-0972	Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
CVE-2005-0824	Signal causes a dump that follows symlinks.
CVE-2015-3629	A Libcontainer used in Docker Engine allows local users to escape containerization and write to an arbitrary file on the host system via a symlink attack in an image when respawning a container.
CVE-2020-26277	In a MySQL database deployment tool, users may craft a maliciously packaged tarball that contains symlinks to files external to the target and once unpacked, will execute.
CVE-2021-21272	"Zip Slip" vulnerability in Go-based Open Container Initiative (OCI) registries product allows writing arbitrary files outside intended directory via symbolic links or hard links in a gzipped tarball.

Potential Mitigations

Phases : Implementation
Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.
Phases : Architecture and Design

Follow the principle of least privilege when assigning access rights to entities in a software system.

Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

Vulnerability Mapping Notes

Justification : This is a well-known Composite of multiple weaknesses that must all occur simultaneously, although it is attack-oriented in nature.
Comment : While attack-oriented composites are supported in CWE, they have not been a focus of research. There is a chance that future research or CWE scope clarifications will change or deprecate them. Perform root-cause analysis to determine which weaknesses allow symlink following to occur, and map to those weaknesses. For example, predictable file names might be intended functionality, but creation in a directory with insecure permissions might not.

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-27	Leveraging Race Conditions via Symbolic Links This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.

NotesNotes

Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported.

"Second-order symlink vulnerabilities" may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used [REF-493].

References

REF-493

Second-Order Symlink Vulnerabilities
Steve Christey.
https://seclists.org/bugtraq/2005/Jun/44

REF-494

Crafting Symlinks for Fun and Profit
Shaun Colley.
http://www.infosecwriters.com/texts.php?op=display&id=159

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

Submission

Name	Organization	Date	Date release	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Name	Organization	Date	Comment
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Relationships, Observed_Example, Other_Notes, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team	MITRE	2008-10-14 +00:00	updated Description
CWE Content Team	MITRE	2009-07-27 +00:00	updated Observed_Examples
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Observed_Examples, References
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2014-06-23 +00:00	updated Modes_of_Introduction, Other_Notes
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2022-04-28 +00:00	updated Research_Gaps
CWE Content Team	MITRE	2022-10-13 +00:00	updated Observed_Examples
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated References, Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes