Symlink vulnerability
A symlink vulnerability (from English symlink bug ; also called symlink vulnerability , to dt. Vulnerability [through] symbolic links ) is a security hole that allows an attacker to write any files with the rights of the program being executed.
more details
The security vulnerability, often called the symlink bug , occurs when a program with extended rights creates a file in a directory that the attacker has write access to in an insecure manner. The attacker creates a symlink in advance with the same file name on a file that he cannot normally write due to a lack of permissions. The vulnerable program does not notice the symlink and creates or overwrites the target file. Often the attacker has a way of influencing the contents of the file.
example
Let's take the fictitious Unix program as an example foo
, which determines further information about user accounts and is setuid for this . For performance reasons, it first sorts the user list in a temporary file: /tmp/foo
.
The directory /tmp
is world-writable. The attacker Alice creates a symlink from / tmp / foo to the file before the program starts /root/.rhosts
. Then he calls up foo
with the parameter " + +
" as the account name. The program foo now tries to write the character string " + +
" into the temporary file /tmp/foo
. In reality, however, it creates the file /root/.rhosts
. After it has done its actual job, it deletes the symlink /tmp/foo
but /root/.rhosts
does not touch it .
The + +
attacker deliberately /root/.rhosts
chose the character sequence “ ” in this example because this entry in the file means that anyone can log in as root using the rlogin program .
Inadequate countermeasures
It is not enough to check before creating the file that there is no symlink with the same name, because there is a small time window between the check and creation ( race condition ). The attacker can increase this time window by executing the vulnerable program in the debugger or otherwise overloading the system.
Countermeasures
The function in the C standard library ( ) should be used to create temporary files . There is a program for shell scripts . If the file name is to be specified by the program, the flags and must be included when the system function is called. The flag has also been available since Linux 3.11 .
mkstemp(3)
stdlib.h
mktemp
open
O_CREAT
O_EXCL
O_TMPFILE