Early Access — Mondoo Vulnerability Intelligence is currently in preview.

CWE-59: Improper Link Resolution Before File Access ('Link Following') | Mondoo Vulnerability Intelligence

CWE-59

BaseDraft

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

385 linked vulnerabilities

2 related weaknesses

Architecture and Design

Follow the principle of least privilege when assigning access rights to entities in a software system.

Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

ConfidentialityIntegrityAccess ControlRead Files or DirectoriesModify Files or DirectoriesBypass Protection Mechanism

An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.

OtherExecute Unauthorized Code or Commands

Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.

Automated Static Analysis - Binary or BytecodeEffectiveness: SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful:

Bytecode Weakness Analysis - including disassembler + source code weakness analysis

Manual Static Analysis - Binary or BytecodeEffectiveness: SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful:

Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Automated Results InterpretationEffectiveness: SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful:

Web Application Scanner
Web Services Scanner
Database Scanners

Dynamic Analysis with Manual Results InterpretationEffectiveness: SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful:

Fuzz Tester
Framework-based Fuzzer

Manual Static Analysis - Source CodeEffectiveness: High

According to SOAR [REF-1479], the following detection techniques may be useful:

Focused Manual Spotcheck - Focused manual analysis of source
Manual Source Code Review (not inspections)

Automated Static Analysis - Source CodeEffectiveness: SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful:

Source code Weakness Analyzer
Context-configured Source Code Weakness Analyzer

Architecture or Design ReviewEffectiveness: High

According to SOAR [REF-1479], the following detection techniques may be useful:

Modes of Introduction

Implementation

Related Weaknesses

CWE-706ChildOf CWE-706ChildOf

Example CVEs (28)

CVE-1999-1386

Some versions of Perl follow symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.

CVE-2000-1178

Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.

CVE-2004-0217

Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.

CVE-2003-0517

Symlink attack allows local users to overwrite files.

CVE-2004-0689

Window manager does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files.

External Links

MITRE CWE Database