Symlink Race .In to limelight now

A symlink race is a kind of software security vulnerability that results from a program creating files in an insecure manner.A malicious user can create a symbolic link to a file not otherwise accessible to them. When the privileged program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user or even provided by the malicious user. Resulting in Elevation of privilege attack

It is called a “race” because in its typical manifestation, the program checks to see if a file by that name already exists; if it does not exist, the program then creates the file. An attacker must create the link in the interval between the check and when the file is created.

RACK911 a research lab says the bugs can be exploited by an attacker to delete files used by the antivirus or by the operating system, resulting in crashes or rendering the computer unusable.

RACK911 researchers have created proof-of-concept scripts that abuse a (symlink) race condition to link malicious files to legitimate files via directory junctions (on Windows) and symbolic links (on Mac & Linux).

When the antivirus detects the malicious file and moves to delete it, it ends up deleting its own files, or removing core files owned by the operating system.

Attacks in the real world using the RACK911 bugs would require that an attacker be in a position to first download and then run the symlink attack code on a device. This is not something that can help attackers breach a system, but something that could help them improve their access on a hacked system.

This means this type of bug can only be used as a second-stage payload in a malware infection, to elevate privileges, to disable security products, or to sabotage computers in a destructive attack.

Key players McAfee , Comodo , Avast, Kaspersky, Bit Defender, Malwarebytes are vulnerable to this exploit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s