CWE-59 在文件访问前对链接解析不恰当（链接跟随）

Improper Link Resolution Before File Access ('Link Following')

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: Medium

基本描述

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 706 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 706 cwe_View_ID: 1003 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

Operating_System: [{'cwe_Class': 'Windows', 'cwe_Prevalence': 'Sometimes'}, {'cwe_Class': 'Unix', 'cwe_Prevalence': 'Often'}]

常见的影响

范围	影响	注释
['Confidentiality', 'Integrity', 'Access Control']	['Read Files or Directories', 'Modify Files or Directories', 'Bypass Protection Mechanism']	An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
Other	Execute Unauthorized Code or Commands	Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.

检测方法

Automated Static Analysis - Binary or Bytecode

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Automated Results Interpretation

Dynamic Analysis with Manual Results Interpretation

Manual Static Analysis - Source Code

Automated Static Analysis - Source Code

Architecture or Design Review

可能的缓解方案

MIT-48.1 Architecture and Design

策略: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.
Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

分析过的案例

标识	说明	链接
CVE-1999-1386	Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1386
CVE-2000-1178	Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1178
CVE-2004-0217	Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0217
CVE-2003-0517	Symlink attack allows local users to overwrite files.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0517
CVE-2004-0689	Window manager does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0689
CVE-2005-1879	Second-order symlink vulnerabilities	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1879
CVE-2005-1880	Second-order symlink vulnerabilities	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1880
CVE-2005-1916	Symlink in Python program	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1916
CVE-2000-0972	Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0972
CVE-2005-0824	Signal causes a dump that follows symlinks.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0824
CVE-2001-1494	Hard link attack, file overwrite; interesting because program checks against soft links	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1494
CVE-2002-0793	Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0793
CVE-2003-0578	Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0578
CVE-1999-0783	Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0783
CVE-2004-1603	Web hosting manager follows hard links, which allows local users to read or modify arbitrary files.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1603
CVE-2004-1901	Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1901
CVE-2005-1111	Hard link race condition	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1111
CVE-2000-0342	Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment."	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0342
CVE-2001-1042	FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1042
CVE-2001-1043	FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1043
CVE-2005-0587	Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0587
CVE-2001-1386	".LNK." - .LNK with trailing dot	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386
CVE-2003-1233	Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1233
CVE-2002-0725	File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0725
CVE-2003-0844	Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0844

Notes

Relationship

Research Gap
UNIX hard links, and Windows hard/soft links are under-studied and under-reported.

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Link Following
CERT C Secure Coding	FIO02-C		Canonicalize path names originating from untrusted sources
CERT C Secure Coding	POS01-C		Check for the existence of links when dealing with files
SEI CERT Perl Coding Standard	FIO01-PL	CWE More Specific	Do not operate on files that can be modified by untrusted users
Software Fault Patterns	SFP18		Link in resource name resolution

相关攻击模式

• CAPEC-132
• CAPEC-17
• CAPEC-35
• CAPEC-76

引用

• REF-62 The Art of Software Security Assessment

文章来源于互联网:scap中文网