Every year, new techniques and exploits are developed to compromise websites. Often times, these exploits are used in vulnerability assessments to improve the security of websites and web hosting services. Because of this, major hacks and exploits can be quickly patched and secured against. Hackers and cybersecurity professionals are constantly looking for new exploits, and symlink hacking is one of those developments. This section will cover the mechanics of a symlink attack, a detailed example of the hack, and how organizations secure themselves against attacks.It is easy to apply an exploit without the need to understand the underlying process, and a lot of concepts in cybersecurity and programming rely on this. However, the symlink attack is not too complex and knowing the process grants insight into more effective uses. For example, the most referenced attack is the Windows shortcut file. The shortcut file
allows you to access a higher directory from the desktop environment, and the symlink attack works by accessing the root folder from a restricted user environment. Most commercial web services host multiple sites and customers on shared servers. The user is restricted to the home directory that contains their site and hosted content. By running a symlink command in PHP, the user creates a link to the server’s root folder and can gain access to all sites on the shared server.
To further explain the attack, let’s take a look at an example of symlink hacking
. Let’s assume the attacker has purchased or gained access to a customer account at a web hosting service. The attacker needs to execute this PHP command in order to create a symbolic link from the user account directory to the root of the shared server directory: symlink(“/”, “./forroot”);
Let’s break down this code snippet in order to understand it: symlink(a, b) is a function that takes two arguments, a and b, as strings. The argument a represents the target folder being symbolically linked to, and the argument b is the symbolic link. In this case, the server’s root folder, “/”, is targeted through a hidden folder, “./forroot”, which is made into a symbolic link. There are multiple avenues for attack for executing this command. Many services allow the customer to execute custom code on the server. This could be in the form of customized scripts that are designated to run periodically, web server scripts, or even configurations of email servers. Once the symbolic link has been created, the user navigates to the folder within their own home directory. The attacker can then run a simple “ls –la”
command in order to display root folders and files along with their authors, or the attacker may navigate directly to the root folder via the web browser file navigation system.Securing your organization from an attack similar to this is not too difficult. Even organizations that host their own sites are vulnerable to symlink attacks from unauthorized access to user accounts. One option is to host your services on CloudLinux and set up a special configuration for symlinks. Setting this option to 1 prevents symlinks between directories with different owners: fs.enforce_symlinksifowner=1.
Another avenue for attack is php.ini files that can be edited by users to include an extra line that executes symlink function. Disabling access to this file can prevent symlink attacks. In short, symlink is a relatively new and moderately advanced method of compromising websites. Shared web hosting servers can be targeted for random sites, or targeted sites can be reached through scanning and uncovering hosting providers. Protecting against this attack is simple enough, but most exploits rely on the target being unaware of its existence.Symlink attacks are a new type of method for exploiting websites. The attack relies on creating a “shortcut” folder from the web server user directory to the web server’s root directory. The theory of the attack is explained along with a practical example of its use and methods for prevention.