Symlink vulnerability

A symlink vulnerability (from English symlink bug ; also called symlink vulnerability , to dt. Vulnerability [through] symbolic links ) is a security hole that allows an attacker to write any files with the rights of the program being executed.

more details

The security vulnerability, often called the symlink bug , occurs when a program with extended rights creates a file in a directory that the attacker has write access to in an insecure manner. The attacker creates a symlink in advance with the same file name on a file that he cannot normally write due to a lack of permissions. The vulnerable program does not notice the symlink and creates or overwrites the target file. Often the attacker has a way of influencing the contents of the file.

example

Let's take the fictitious Unix program as an example foo, which determines further information about user accounts and is setuid for this . For performance reasons, it first sorts the user list in a temporary file: /tmp/foo.

The directory /tmpis world-writable. The attacker Alice creates a symlink from / tmp / foo to the file before the program starts /root/.rhosts. Then he calls up foowith the parameter " + +" as the account name. The program foo now tries to write the character string " + + " into the temporary file /tmp/foo. In reality, however, it creates the file /root/.rhosts. After it has done its actual job, it deletes the symlink /tmp/foobut /root/.rhostsdoes not touch it .

The + +attacker deliberately /root/.rhostschose the character sequence “ ” in this example because this entry in the file means that anyone can log in as root using the rlogin program .

The function in the C standard library ( ) should be used to create temporary files . There is a program for shell scripts . If the file name is to be specified by the program, the flags and must be included when the system function is called. The flag has also been available since Linux 3.11 . mkstemp(3)stdlib.hmktempopen O_CREATO_EXCLO_TMPFILE