Owlglass

Pentest - Symbolic Links

Windows

The C: directory isn’t a real directory on disk, but a symbolic link object in the Windows Kernel - Object Manager namespace, which is isolated from the regular file system. The symbolic link holds the value of the physical path on the file system, the real device. The kernel calls ObpParseSymbolicLink to resolve the symlink.

A regular user is limited in the creation and deletion of symlinks in the object manager. She can’t create/delete new symlinks under most object directories, such as \Driver or \Global??.

The object manager namespace is organized in a heirarchy tree. Each level is an object of the type OBJECT_DIRECTORY. EG the \Device object directory contains the named device objects created by drivers.

Most recent implementation, used to link one file to another in the filesystem: mklink command.

Also through API:

1
2
3
4
5

BOOLEAN CreateSymbolicLinkA(
  LPCSTR lpSymlinkFileName,
  LPCSTR lpTargetFileName,
  DWORD  dwFlags
);

NTFS Mount Points/Directory Junctions

Link directories with mount point/directory junctions. The link directory needs to be empty and the user should have write handle to the parent directory.

1

mklink /J systest C:\Windows\System32

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

BOOL DeviceIoControl(
  HANDLE       hDevice,
  DWORD        dwIoControlCode,
  LPVOID       lpInBuffer,
  DWORD        nInBufferSize,
  LPVOID       lpOutBuffer,
  DWORD        nOutBufferSize,
  LPDWORD      lpBytesReturned,
  LPOVERLAPPED lpOverlapped
);

Attack vector: First, create a directory junction, which is possible with write permission over a directory. The next part consists of, eg, creating an Object Manager symlink on a log file in that directory that would point to a file in a protected directory. If a privileged application performs write operations on a log file in a directory we control, it can perform that same operation on the file that the symlink points to. Let’s say we find a privileged app that tries to delete a file with NT AUTHORITY\SYSTEM privs, then we can reparse the delete operation for any other file that we have access to.