Symlink race
Encyclopedia
A symlink race is a kind of software security vulnerability that results from a program creating files
in an insecure manner. A malicious user can create a symbolic link
to a file not otherwise accessible to him or her. When the privileged
program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user (see example below), or even provided by the malicious user (as input to the program).
It is called a "race
" because in its typical manifestation, the program checks to see if a file by that name already exists, then creates the file. An attacker must create the link in the interval between the check and when the file is created.
program foo is setuid
. Its function is to retrieve information for the accounts specified by the user. For "efficiency", it sorts the requested accounts into a temporary file (/tmp/foo naturally) before making the queries.
The directory /tmp is world-writable. Malicious user Mallory creates a symbolic link to the file /root/.rhosts named /tmp/foo. Then, he invokes foo with user as the requested account. The program creates the (temporary) file /tmp/foo (really creating /root/.rhosts) and puts information about the requested account (e.g. user password) in it. It removes the temporary file (merely removing the symbolic link).
Now the /root/.rhosts contains password information, which (if it even happens to be in the proper format) is the incantation necessary to allow anyone to use rlogin
to log into the computer as the superuser
.
function can be used to safely create temporary files. For shell scripts, the system utility does the same thing.
Computer file
A computer file is a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage. A file is durable in the sense that it remains available for programs to use after the current program has finished...
in an insecure manner. A malicious user can create a symbolic link
Symbolic link
In computing, a symbolic link is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution. Symbolic links were already present by 1978 in mini-computer operating systems from DEC and Data...
to a file not otherwise accessible to him or her. When the privileged
Setuid
setuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user (see example below), or even provided by the malicious user (as input to the program).
It is called a "race
Race condition
A race condition or race hazard is a flaw in an electronic system or process whereby the output or result of the process is unexpectedly and critically dependent on the sequence or timing of other events...
" because in its typical manifestation, the program checks to see if a file by that name already exists, then creates the file. An attacker must create the link in the interval between the check and when the file is created.
Example
In this naive example, the UnixUnix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
program foo is setuid
Setuid
setuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
. Its function is to retrieve information for the accounts specified by the user. For "efficiency", it sorts the requested accounts into a temporary file (/tmp/foo naturally) before making the queries.
The directory /tmp is world-writable. Malicious user Mallory creates a symbolic link to the file /root/.rhosts named /tmp/foo. Then, he invokes foo with user as the requested account. The program creates the (temporary) file /tmp/foo (really creating /root/.rhosts) and puts information about the requested account (e.g. user password) in it. It removes the temporary file (merely removing the symbolic link).
Now the /root/.rhosts contains password information, which (if it even happens to be in the proper format) is the incantation necessary to allow anyone to use rlogin
Rlogin
rlogin is a software utility for Unix-like computer operating systems that allows users to log in on another host via a network, communicating via TCP port 513.It was first distributed as part of the 4.2BSD release....
to log into the computer as the superuser
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
.
Workaround
The C standard libraryC standard library
The C Standard Library is the standard library for the programming language C, as specified in the ANSI C standard.. It was developed at the same time as the C POSIX library, which is basically a superset of it...
function can be used to safely create temporary files. For shell scripts, the system utility does the same thing.