A Link to the Past: Abusing Symbolic Links on Windows presented at Infiltrate 2015

by James Forshaw,

Summary : The dangers of symbolic links are well known on Unix-like operating systems. Through their misuse a privilege process can be tricked into writing files to a location under the attackers control leading to privilege escalation or disclosing sensitive information. On Windows there is comparatively little comparable research into these sorts of vulnerabilities even though Windows NT has supported symbolic links in various forms since its inception with version 3.1. To make matters worse the functionality is poorly documented making mitigation very difficult for Windows developers in both user and kernel mode applications. This presentation will describe the potential for abusing the various types of symbolic links on the Windows operating system to break out of application sandboxes, gain administrator privileges or disclose sensitive information. Examples of vulnerabilities will be presented to demonstrate some of the attacks, and to allow attendees to better identify other similar issues within Windows and third party applications. It will also describe a few novel techniques for winning TOCTOU races and implementing filename level symbolic links without requiring administrator privileges on current versions of Windows.