CAPEC-45: Buffer Overflow via Symbolic Links
This type of attack leverages the use of symbolic links to cause buffer overflows. An adversary can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
Last updated
Overview
CAPEC-45 (Buffer Overflow via Symbolic Links) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Identify target application] The adversary identifies a target application or program that might load in certain files to memory.
- Step 2Experiment
[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
- The adversary creates or modifies a symbolic link pointing to those files which contain an excessive amount of data. If creating a symbolic link to one of those files causes different behavior in the application, then an injection vector has been identified.
- Step 3Experiment
[Craft overflow file content] The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
- Create malicious shellcode that will execute when the program execution is returned to it.
- Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
- Step 4Exploit
[Overflow the buffer] Using the specially crafted file content, the adversary creates a symbolic link from the identified resource to the malicious file, causing a targeted buffer overflow attack.
What the attacker needs
Prerequisites
- The adversary can create symbolic link on the target host.
- The target host does not perform correct boundary checking while consuming data from a resources.
Skills required
- Low skill: An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS.
- High skill: Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
Consequences
What a successful CAPEC-45 attack can achieve.
Unreliable Execution
Affects: Availability
Execute Unauthorized Commands
Affects: Confidentiality, Integrity, Availability
Run Arbitrary Code
Read Data
Affects: Confidentiality
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-45.
- Pay attention to the fact that the resource you read from can be a replaced by a Symbolic link. You can do a Symlink check before reading the file and decide that this is not a legitimate way of accessing the resource.
- Because Symlink can be modified by an adversary, make sure that the ones you read are located in protected directories.
- Pay attention to the resource pointed to by your symlink links (See attack pattern named "Forced Symlink race"), they can be replaced by malicious resources.
- Always check the size of the input data before copying to a buffer.
- Use a language or compiler that performs automatic bounds checking.
- Use an abstraction library to abstract away risky APIs. Not a complete solution.
- Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
- Use OS-level preventative functionality. Not a complete solution.
How to detect it
Indicators that this attack may be underway.
- An adversary creating or modifying Symbolic links is a potential signal of attack in progress.
- An adversary deleting temporary files can also be a sign that the adversary is trying to replace legitimate resources with malicious ones.
Examples
The EFTP server has a buffer overflow that can be exploited if an adversary uploads a .lnk (link) file that contains more than 1,744 bytes. This is a classic example of an indirect buffer overflow. First the adversary uploads some content (the link file) and then the adversary causes the client consuming the data to be exploited. In this example, the ls command is exploited to compromise the server software.
Frequently asked questions
Common questions about CAPEC-45.
- What is CAPEC-45?
- This type of attack leverages the use of symbolic links to cause buffer overflows. An adversary can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
- How does a Buffer Overflow via Symbolic Links attack work?
- It typically unfolds over 4 phases. It begins with: [Identify target application] The adversary identifies a target application or program that might load in certain files to memory.
- How do you prevent CAPEC-45?
- Pay attention to the fact that the resource you read from can be a replaced by a Symbolic link. You can do a Symlink check before reading the file and decide that this is not a legitimate way of accessing the resource.
- What weaknesses does CAPEC-45 target?
- CAPEC-45 exploits 9 CWE weaknesses, including CWE-20 (Improper Input Validation), CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')), CWE-118 (Incorrect Access of Indexable Resource ('Range Error')), CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer).
- How severe is CAPEC-45?
- MITRE rates CAPEC-45 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-45
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.