Windows Shortcut Following (.LNK)
Weakness ID: 64 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

The software, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

Extended Description

The shortcut (file with the .lnk extension) can permit an attacker to read/write a file that they originally did not have permissions to access.

+ Alternate Terms
Windows symbolic link following
symlink
+ Time of Introduction
  • Operation
+ Applicable Platforms

Languages

All

Operating Systems

Windows

+ Likelihood of Exploit

Medium to High

+ Observed Examples
ReferenceDescription
CVE-2000-0342
CVE-2001-1042
CVE-2001-1043
CVE-2005-0587
CVE-2001-1386".LNK." - .LNK with trailing dot
CVE-2003-1233Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link
+ Potential Mitigations

Follow the principle of least privilege when assigning access rights to files. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

+ Weakness Ordinalities
OrdinalityDescription
Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base59Improper Link Resolution Before File Access ('Link Following')
Research Concepts (primary)1000
ChildOfCategoryCategory63Windows Path Link Problems
Resource-specific Weaknesses (primary)631
Development Concepts (primary)699
ChildOfCategoryCategory743CERT C Secure Coding Section 09 - Input Output (FIO)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
+ Research Gaps

Under-studied. Windows .LNK files are more "portable" than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.

+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERWindows Shortcut Following (.LNK)
CERT C Secure CodingFIO05-CIdentify files using multiple file attributes
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Relationships, Taxonomy Mappings, Weakness Ordinalities
2008-10-14CWE Content TeamMITREInternal
updated Description
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings