Re: Microsoft Windows Vista/2003/XP/2000 file management security issues

[Daniel Hazelton <dhazelton () enter net>]

On Tuesday 13 March 2007 12:01:51 3APA3A wrote:
> Dear Steven M. Christey,
>
> --Tuesday, March 13, 2007, 2:14:36 AM, you wrote to
> bugtraq () securityfocus com:
>
> SMC> 3APA3A said:
> > > I. There is no symlinks under Windows. Symlink attacks are not
> > > possible.
>
> SMC> I'm not a Windows expert, but...  There have been some past
> SMC> vulnerabilities where an attacker could upload a shortcut (.lnk) file
> SMC> and access files outside of the intended directory.  In cases of FTP
> SMC> servers or mail clients, this makes symlink style attacks remotely
> SMC> feasible.  Some previously reported examples are
> SMC> CVE-2004-2672/CVE-2005-0519/CVE-2005-0520 (argosoft), CVE-2005-2184
> SMC> (eRoom), CVE-2005-0587 (Firefox), and CVE-2001-1386 (WFTPD).
> SMC> So, issues *like* symlink vulnerabilities can happen on Windows - but
> SMC> whether they're under-reported is unknown.
>
> These  attacks  are  remote  and have attack vector absolutely different
> from  Unix  symlink  attacks.  Standard Windows files API doesn't handle
> .lnk files, application must be specially written to support them.
>
> Symlink  attack is also possible against e.g. Cygwin-ported application.

I haven't used Vista at all, but from reading the MS documentation about the 
new version of NTFS that it uses it appears that Unix style symlinks are 
supported. (From what I can tell they've been possible since the start, just 
not implemented)

So for any WIndows system that shares the new NTFS code with Vista this is a 
valid vuln. Although I'm not positive about whether MS actually released 
tools along with Vista to use this feature, I'm more than certain that it 
does exist. (However, this may be a moot point. MS might still flag a 
cross-reference like a Unix-style symlink as a filesystem error)

DRH