Symlink v4 (Priv8 symlink bypass 2014)

An attacker positions a symbolic link in such a manner that the targeted user or application accesses to the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions the attacker would normally have. 
Attack_Prerequisites
  • The targeted application must perform the desired activities on a file without checking as to whether the file is a symbolic link.
  • The attacker must be able to predict the name of the file the target application is modifying and be able to create a new symbolic link where that file would appear. 
Resources_Required
  • No special resources are required beyond the ability to create the necessary symbolic link. 

Solutions and Mitigation:
Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hardlinks before opening them. Implementation: Use randomly generated file names for temporary files.  
DOWNLOAD LINK (Symlink v4 (Priv8 symlink bypass 2014)):