Jump to content

Symlink race: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Ronark (talk | contribs)
Added cleanup
Example: Copyedit
 
(50 intermediate revisions by 44 users not shown)
Line 1: Line 1:
{{Short description|Software Security}}
{{cleanup|date=December 2, 2008}}
{{refimprove|date=August 2016}}
A '''symlink race''' is a kind of [[Vulnerability (computer science)|software security vulnerability]] that results from a program creating [[computer file|files]] in an insecure manner.<ref>{{cite web|title=CAPEC-27: Leveraging Race Conditions via Symbolic Links|url=https://capec.mitre.org/data/definitions/27.html|publisher=[[Common Attack Pattern Enumeration and Classification|CAPEC]]}}</ref> A malicious user can create a [[symbolic link]] to a file not otherwise accessible to them. When the [[setuid|privileged]] program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user (see example below), or even provided by the malicious user (as input to the program).


It is called a "[[race condition|race]]" because in its typical manifestation, the program checks to see if a file by that name already exists; if it does not exist, the program then creates the file. An attacker must create the link in the [[Time-of-check to time-of-use|interval between the check and when the file is created]].
A '''symlink race''' is a kind of [[Vulnerability (computer science)|software security vulnerability]] that results from a program creating [[computer file|files]] in an insecure manner. A malicious user can create a [[symbolic link]] to a file not otherwise accessible to him or her. When the [[setuid|privileged]] program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content provided by the malicious user.


A symlink race can happen with [[antivirus]] products that decide they will quarantine or delete a suspicious file, and then go ahead and do that. During the interval between decision and action, malicious software can replace the suspicious file with a system or antivirus file that the malicious software wants overwritten.<ref>{{Cite web|url=https://www.zdnet.com/article/symlink-race-bugs-discovered-in-28-antivirus-products/|title=Symlink race bugs discovered in 28 antivirus products|website=[[ZDNet]] }}</ref>
It is called a "race" because in its typical manifestation, the program checks to see if a file by that name already exists, then creates the file. An attacker must create the link in the interval between the check and when the file is created.


== Example ==
==Example==
In this naive example, the [[Unix]] program <tt>foo</tt> is <tt>[[setuid]]</tt>. Its function is to retrieve information for the [[account (computing)|account]]s specified by the user. For "efficiency", it sorts the requested accounts into a temporary file (<tt>/tmp/foo</tt> naturally) before making the queries.
In this naive example, the [[Unix]] program <code>foo</code> is <code>[[setuid]]</code>. Its function is to retrieve information for the [[account (computing)|account]]s specified by the user. For "efficiency", it sorts the requested accounts into a temporary file (<code>/tmp/foo</code> naturally) before making the queries.


The directory <tt>/tmp</tt> is world-writable. Malicious user Mallory creates a symbolic link to the file <tt>/.rhosts</tt> named <tt>/tmp/foo</tt>. Then, she invokes <tt>foo</tt> with <tt>+ +</tt> as the requested account. The program creates the (temporary) file <tt>/tmp/foo</tt> (really creating <tt>/.rhosts</tt>) and puts the requested account (<tt>+ +</tt>) in it. It removes the temporary file (merely removing the symbolic link).
The directory <code>/tmp</code> is world-writable. Malicious user Mallory creates a symbolic link to the file <code>/root/.rhosts</code> named <code>/tmp/foo</code>. Then, Mallory invokes <code>foo</code> with <code>''user''</code> as the requested account. The program creates the (temporary) file <code>/tmp/foo</code> (really creating <code>/root/.rhosts</code>) and puts information about the requested account (e.g. <code>''user password''</code>) in it. It removes the temporary file (merely removing the symbolic link).


Now the <tt>/.rhosts</tt> contains <tt>+ +</tt>, which is the incantation necessary to allow anyone to use <tt>[[rlogin]]</tt> to log into the computer as the [[superuser]].
Now the <code>/root/.rhosts</code> contains password information, which (if it even happens to be in the proper format) is the incantation necessary to allow anyone to use <code>[[rlogin]]</code> to log into the computer as the [[superuser]].


In some Unix-systems there is a special flag <code>O_NOFOLLOW</code> for <code>open(2)</code> to prevent opening a file via a symbolic-link (dangling or otherwise) and has become standardized in [[POSIX|POSIX.1-2008]].
== Workaround ==
The standard library function ''mkstemp(3)'' can be used to safely create temporary files. For shell scripts, the system utility <tt>mktemp</tt> does the same thing.


==Workaround==
[[Category:Security exploits]]
The [[POSIX]] [[C standard library]] function <code>[[mkstemp]]</code> can be used to safely create temporary files. For shell scripts, the system utility {{man|1|mktemp|OpenBSD||inline}} does the same thing.
[[Category:Unix]]


==References==
[[de:Symlink-Schwachstelle]]
{{Reflist}}
[[pl:Symlink race]]

{{unix-stub}}

[[Category:Computer security exploits]]
[[Category:Unix]]

Latest revision as of 08:43, 9 June 2024

A symlink race is a kind of software security vulnerability that results from a program creating files in an insecure manner.[1] A malicious user can create a symbolic link to a file not otherwise accessible to them. When the privileged program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user (see example below), or even provided by the malicious user (as input to the program).

It is called a "race" because in its typical manifestation, the program checks to see if a file by that name already exists; if it does not exist, the program then creates the file. An attacker must create the link in the interval between the check and when the file is created.

A symlink race can happen with antivirus products that decide they will quarantine or delete a suspicious file, and then go ahead and do that. During the interval between decision and action, malicious software can replace the suspicious file with a system or antivirus file that the malicious software wants overwritten.[2]

Example

[edit]

In this naive example, the Unix program foo is setuid. Its function is to retrieve information for the accounts specified by the user. For "efficiency", it sorts the requested accounts into a temporary file (/tmp/foo naturally) before making the queries.

The directory /tmp is world-writable. Malicious user Mallory creates a symbolic link to the file /root/.rhosts named /tmp/foo. Then, Mallory invokes foo with user as the requested account. The program creates the (temporary) file /tmp/foo (really creating /root/.rhosts) and puts information about the requested account (e.g. user password) in it. It removes the temporary file (merely removing the symbolic link).

Now the /root/.rhosts contains password information, which (if it even happens to be in the proper format) is the incantation necessary to allow anyone to use rlogin to log into the computer as the superuser.

In some Unix-systems there is a special flag O_NOFOLLOW for open(2) to prevent opening a file via a symbolic-link (dangling or otherwise) and has become standardized in POSIX.1-2008.

Workaround

[edit]

The POSIX C standard library function mkstemp can be used to safely create temporary files. For shell scripts, the system utility mktemp(1) does the same thing.

References

[edit]
  1. ^ "CAPEC-27: Leveraging Race Conditions via Symbolic Links". CAPEC.
  2. ^ "Symlink race bugs discovered in 28 antivirus products". ZDNet.