Symlink race explained

A symlink race is a kind of software security vulnerability that results from a program creating files in an insecure manner.[1] A malicious user can create a symbolic link to a file not otherwise accessible to them. When the privileged program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user (see example below), or even provided by the malicious user (as input to the program).

It is called a "race" because in its typical manifestation, the program checks to see if a file by that name already exists; if it does not exist, the program then creates the file. An attacker must create the link in the interval between the check and when the file is created.

A symlink race can happen with antivirus products that decide they will quarantine or delete a suspicious file, and then go ahead and do that. During the interval between decision and action, malicious software can replace the suspicious file with a system or antivirus file that the malicious software wants overwritten.[2]

Example

In this naive example, the Unix program foo is [[setuid]]. Its function is to retrieve information for the accounts specified by the user. For "efficiency", it sorts the requested accounts into a temporary file (/tmp/foo naturally) before making the queries.

The directory /tmp is world-writable. Malicious user Mallory creates a symbolic link to the file /root/.rhosts named /tmp/foo. Then, Mallory invokes foo with ''user'' as the requested account. The program creates the (temporary) file /tmp/foo (really creating /root/.rhosts) and puts information about the requested account (e.g. ''user password'') in it. It removes the temporary file (merely removing the symbolic link).

Now the /root/.rhosts contains password information, which (if it even happens to be in the proper format) is the incantation necessary to allow anyone to use [[rlogin]] to log into the computer as the superuser.

In some Unix-systems there is a special flag O_NOFOLLOW for open(2) to prevent opening a file via a symbolic-link (dangling or otherwise) and has become standardized in POSIX.1-2008.

Workaround

The POSIX C standard library function [[mkstemp]] can be used to safely create temporary files. For shell scripts, the system utility does the same thing.

Notes and References

  1. Web site: CAPEC-27: Leveraging Race Conditions via Symbolic Links. CAPEC.
  2. Web site: Symlink race bugs discovered in 28 antivirus products. .