Windows Shortcut Following (.LNK)
Incomplete Variant
Structure: Simple
Description
The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
The shortcut (file with the .lnk extension) can permit an attacker to read/write a file that they originally did not have permissions to access.
Common Consequences 1
Scope: ConfidentialityIntegrity
Impact: Read Files or DirectoriesModify Files or Directories
Potential Mitigations 1
Phase: Architecture and Design
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
Observed Examples 7
CVE-2019-19793network access control service executes program with high privileges and allows symlink to invoke another executable or perform DLL injection.
CVE-2000-0342Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment."
CVE-2001-1042FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
CVE-2001-1043FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
CVE-2005-0587Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.
CVE-2001-1386".LNK." - .LNK with trailing dot
CVE-2003-1233Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link
Likelihood of Exploit
Low
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Operation
Alternate Terms
Windows symbolic link following
symlink
Functional Areas
- File Processing
Affected Resources
- File or Directory
Related Weaknesses
Taxonomy Mapping
- PLOVER
- CERT C Secure Coding
- Software Fault Patterns
Notes
Research GapUnder-studied. Windows .LNK files are more "portable" than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.