May 28, 2023

A symlink race is a kind of software security vulnerability that results from a program creating files in an insecure manner.A malicious user can create a symbolic link to a file not otherwise accessible to them. When the privileged program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user or even provided by the malicious user. Resulting in Elevation of privilege attack

It is called a “race” because in its typical manifestation, the program checks to see if a file by that name already exists; if it does not exist, the program then creates the file. An attacker must create the link in the interval between the check and when the file is created.

RACK911 a research lab says the bugs can be exploited by an attacker to delete files used by the antivirus or by the operating system, resulting in crashes or rendering the computer unusable.

RACK911 researchers have created proof-of-concept scripts that abuse a (symlink) race condition to link malicious files to legitimate files via directory junctions (on Windows) and symbolic links (on Mac & Linux).

When the antivirus detects the malicious file and moves to delete it, it ends up deleting its own files, or removing core files owned by the operating system.

Attacks in the real world using the RACK911 bugs would require that an attacker be in a position to first download and then run the symlink attack code on a device. This is not something that can help attackers breach a system, but something that could help them improve their access on a hacked system.

This means this type of bug can only be used as a second-stage payload in a malware infection, to elevate privileges, to disable security products, or to sabotage computers in a destructive attack.

Key players McAfee , Comodo , Avast, Kaspersky, Bit Defender, Malwarebytes are vulnerable to this exploit.

Leave a Reply

%d bloggers like this: