CWE-64 Detail

CWE-64

Name

Windows Shortcut Following (.LNK)

Likelihood

Low

Status

Incomplete

Published

2006-07-19
00h00 +00:00

Modified

2023-06-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Windows Shortcut Following (.LNK)

The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

CWE Description

The shortcut (file with the .lnk extension) can permit an attacker to read/write a file that they originally did not have permissions to access.

General Informations

Modes Of Introduction

Operation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Operating Systems

Class: Windows (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Confidentiality Integrity	Read Files or Directories, Modify Files or Directories

Observed Examples

References	Description
CVE-2019-19793	network access control service executes program with high privileges and allows symlink to invoke another executable or perform DLL injection.
CVE-2000-0342	Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment."
CVE-2001-1042	FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
CVE-2001-1043	FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
CVE-2005-0587	Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.
CVE-2001-1386	".LNK." - .LNK with trailing dot
CVE-2003-1233	Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link

Potential Mitigations

Phases : Architecture and Design

Follow the principle of least privilege when assigning access rights to entities in a software system.

Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

Under-studied. Windows .LNK files are more "portable" than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.

Submission

Name	Organization	Date	Date release	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Name	Organization	Date	Comment
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team	MITRE	2008-10-14 +00:00	updated Description
CWE Content Team	MITRE	2008-11-24 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2011-09-13 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2012-05-11 +00:00	updated Observed_Examples, Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2019-01-03 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2019-06-20 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2022-06-28 +00:00	updated Observed_Examples
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes

CWE-64 Detail

CWE-64

Name: Windows Shortcut Following (.LNK)

CWE Description

General Informations

Modes Of Introduction

Applicable Platforms

Language

Operating Systems

Common Consequences

Observed Examples

CVE-2019-19793

CVE-2000-0342

CVE-2001-1042

CVE-2001-1043

CVE-2005-0587

CVE-2001-1386

CVE-2003-1233

Potential Mitigations

Vulnerability Mapping Notes

NotesNotes

Submission

Modifications