Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation

We analyze filename-based privilege escalation attacks, where an attacker creates filesystem links, thereby "tricking" a victim program into opening unintended files. We develop primitives for a POSIX environment, providing assurance that files in "safe directories" (such as /etc/passwd) cannot be opened by looking up a file by an "unsafe pathname" (such as a pathname that resolves through a symbolic link in a world-writable directory). In today's UNIX systems, solutions to this problem are typically built into (some) applications and use application-specific knowledge about (un)safety of certain directories. In contrast, we seek solutions that can be implemented in the filesystem itself (or a library on top of it), thus providing protection to all applications.

Our solution is built around the concept of pathname manipulators, which are roughly the users that can influence the result of a file lookup operation. For each user, we distinguish unsafe pathnames from safe pathnames according to whether or not the pathname has any manipulators other than that user or root. We propose a safe-open procedure that keeps track of the safety of the current pathname as it resolves it, and that takes extra precautions while opening files with unsafe pathnames. We prove that our solution can prevent a common class of filename-based privilege escalation attacks, and describe our implementation of the safe-open procedure as a library function over the POSIX filesystem interface. We tested our implementation on several UNIX variants to evaluate its implications for systems and applications. Our experiments suggest that this solution can be deployed in a portable way without breaking existing systems, and that it is effective against this class of pathname resolution attacks.

By: Suresh Chari; Shai Halevi; Wietse Venema

Published in: RC24900 in 2009


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .