CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
Last updated
Overview
The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the adversary may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the adversary may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the adversary to control the actions of the target or to cause the target to expose information to the adversary. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the adversary would normally have.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Identify Target] Adversary identifies the target application by determining whether there is sufficient check before writing data to a file and creating symlinks to files in different directories.
- The adversary writes to files in different directories to check whether the application has sufficient checking before file operations.
- The adversary creates symlinks to files in different directories.
- Step 2Experiment