CAPEC-132: Symlink Attack

Description
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
Extended Description

The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications.

In some variants of this attack the adversary may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the adversary may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the adversary to control the actions of the target or to cause the target to expose information to the adversary. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the adversary would normally have.

Severity :

High

Possibility :

Low

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-159: Redirect Access to Libraries Redirect Access to Libraries
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The targeted application must perform the desired activities on a file without checking whether the file is a symbolic link or not. The adversary must be able to predict the name of the file the target application is modifying and be able to create a new symbolic link where that file would appear.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low To create symlinks
  • High To identify the files and create the symlinks during the file operation time window
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Boot or Logon Autostart Execution:Shortcut Modification
Resources required

None: No specialized resources are required to execute this type of attack. The only requirement is the ability to create the necessary symbolic link.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-59: Improper Link Resolution Before File Access ('Link Following')

Visit http://capec.mitre.org/ for more details.