Re: Microsoft Windows Vista/2003/XP/2000 file management security issues
On Tuesday 13 March 2007 12:01:51 3APA3A wrote:
> Dear Steven M. Christey,
>
> --Tuesday, March 13, 2007, 2:14:36 AM, you wrote to
> bugtraq@xxxxxxxxxxxxxxxxx:
>
> SMC> 3APA3A said:
> >>I. There is no symlinks under Windows. Symlink attacks are not
> >>possible.
>
> SMC> I'm not a Windows expert, but... There have been some past
> SMC> vulnerabilities where an attacker could upload a shortcut (.lnk) file
> SMC> and access files outside of the intended directory. In cases of FTP
> SMC> servers or mail clients, this makes symlink style attacks remotely
> SMC> feasible. Some previously reported examples are
> SMC> CVE-2004-2672/CVE-2005-0519/CVE-2005-0520 (argosoft), CVE-2005-2184
> SMC> (eRoom), CVE-2005-0587 (Firefox), and CVE-2001-1386 (WFTPD).
> SMC> So, issues *like* symlink vulnerabilities can happen on Windows - but
> SMC> whether they're under-reported is unknown.
>
> These attacks are remote and have attack vector absolutely different
> from Unix symlink attacks. Standard Windows files API doesn't handle
> .lnk files, application must be specially written to support them.
>
> Symlink attack is also possible against e.g. Cygwin-ported application.
I haven't used Vista at all, but from reading the MS documentation about the
new version of NTFS that it uses it appears that Unix style symlinks are
supported. (From what I can tell they've been possible since the start, just
not implemented)
So for any WIndows system that shares the new NTFS code with Vista this is a
valid vuln. Although I'm not positive about whether MS actually released
tools along with Vista to use this feature, I'm more than certain that it
does exist. (However, this may be a moot point. MS might still flag a
cross-reference like a Unix-style symlink as a filesystem error)
DRH