Solutions for handling symlink attacks

Status
Not open for further replies.

HostingH

Well-Known Member
Jan 13, 2008
125
17
68
cPanel Access Level
Root Administrator
Mod Note: Please see the summary here: Solutions for handling symlink attacks
=

How to prevent following on the server.

Server got hacked by creating symlink under non root user.

Example: Once you cd 1.txt then you will get full access to /

1.txt -> //

Please advise.
 
Last edited by a moderator:

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
Looks like this must be the latest and greatest hack out there because I just encountered the identical issue with one of my own server. I've been hard-pressed to find anything documented of how to prevent against this.

Any advice would be much appreciated.

Thanks.
 

HostingH

Well-Known Member
Jan 13, 2008
125
17
68
cPanel Access Level
Root Administrator
Hi lbeachmike,

We can disable it in httpd.conf but hacker is enabling it under .htaccess as follows. So we can not disable it in Apache configuration. Also chmoded 700 to ln.
-----------
Options +FollowSymLinks
-----------

Please advise us.
 
  • Like
Reactions: RechargeableLed

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
38
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

Code:
<Directory "/">
    Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
    AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
    Options Includes Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>
The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.
 
  • Like
Reactions: RechargeableLed

IBZ

Registered
Apr 10, 2011
2
0
51
How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

Code:
<Directory "/">
    Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
    AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
    Options Includes Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>
The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.

FollowSymLinks still can be enabled by .htaccess .
Im also looking for solution for this issue .
 

majidnt

Well-Known Member
Nov 15, 2004
46
0
156
You shoud use this code on /usr/local/apache/conf/includes/pre_virtualhost_2.conf
But it's not enough to prevent USING symlinks,attackers upload 1.zip and extract it,the file contain a ready-to-use symlink :)

How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

Code:
<Directory "/">
    Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
    AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
    Options Includes Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>
The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.
 

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
You shoud use this code on /usr/local/apache/conf/includes/pre_virtualhost_2.conf
But it's not enough to prevent USING symlinks,attackers upload 1.zip and extract it,the file contain a ready-to-use symlink :)
Excellent point - bringing my question back to -

Is there a way to ensure that a user would in no way have access to files outside of their home directory? I realize the symlink looks and feels like part of the home directory, but there certainly must be some viable solution to this otherwise any hacker can fully exploit any server with the very same recipe.

mrk
 

KhensU

Registered
Oct 1, 2008
2
0
51
So other than disabling FollowSymlinks all together are their any other solutions to this? We just got hit as well.
 

neutro

Well-Known Member
Apr 11, 2004
70
1
158
Got hit like this as well. how to prevent -if we disable follow symlinks any impact on web sites?
 

astopy

Well-Known Member
Apr 3, 2003
166
0
166
cPanel Access Level
Root Administrator
Wait... creating a symlink to / won't give the user write access to anything they didn't already have write access to -- symlinks don't give the user any extra privileges. What exactly is the problem here?

I'm aware of the problems of Apache following symlinks to other users' files, but as someone already pointed out all you need to do to stop that is disable FollowSymlinks, turn on SymLinksIfOwnerMatch and make sure FollowSymlinks isn't in AllowOverride. (And also be prepared to deal with all the support requests from people who try to install scripts with "Options +FollowSymlinks" in their default .htaccess files. Joomla, I'm looking at you :p)
 

BigLebowski

Well-Known Member
Dec 24, 2007
75
0
56
What exactly is the problem here?
It's a massive problem. It allows a hacker to browse all public_html areas on the server. All our Wordpress config files were world-readable (644) therefore the hacker could plunder any user's Wordpress install. I have worked around this by chmodding all wp-config.php files 600 (it's a SuPHP server) and am now doing Joomla, but in theory I need to chmod 600 ALL users files on the server containing any password. It's a nuisance having to do this and of course i need to cron job it so that all new sensitive files uploaded are similarly chmodded if world-readable.
 

astopy

Well-Known Member
Apr 3, 2003
166
0
166
cPanel Access Level
Root Administrator
It's a massive problem. It allows a hacker to browse all public_html areas on the server. All our Wordpress config files were world-readable (644) therefore the hacker could plunder any user's Wordpress install. I have worked around this by chmodding all wp-config.php files 600 (it's a SuPHP server) and am now doing Joomla, but in theory I need to chmod 600 ALL users files on the server containing any password. It's a nuisance having to do this and of course i need to cron job it so that all new sensitive files uploaded are similarly chmodded if world-readable.
Again, surely disabling FollowSymlinks and only allowing SymLinksIfOwnerMatch would prevent that?
 

BigLebowski

Well-Known Member
Dec 24, 2007
75
0
56
Astopy: does that interfere with any existing apps such as Joomla and Wordpress? I like the sound of "SymLinksIfOwnerMatch". We would need to disable local php.ini also, which is allowed currently.

Best
Dude
 

astopy

Well-Known Member
Apr 3, 2003
166
0
166
cPanel Access Level
Root Administrator
Astopy: does that interfere with any existing apps such as Joomla and Wordpress? I like the sound of "SymLinksIfOwnerMatch". We would need to disable local php.ini also, which is allowed currently.
Joomla will show an internal server error with its default .htaccess file, because it includes Options +FollowSymlinks. Wordpress won't have any problems, and I haven't come across any major app other than Joomla that specifically tries to enable FollowSymlinks. Fixing the error is just a case of deleting (or commenting out) the FollowSymlinks line.

Since disabling FollowSymlinks we do occasionally get questions from customers who can't get Joomla to work, but we've decided that it's worth the extra support overhead to improve security.
 

astopy

Well-Known Member
Apr 3, 2003
166
0
166
cPanel Access Level
Root Administrator
This option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable.
Interesting. So, an attacker could request a regular file and then delete the file and replace it with a symlink after Apache checks what kind of file it is and before it reads the file. Correct?

I guess this would at least make the attack much harder, even if it doesn't guarantee that it would be prevented.
 

ServerMascot

Member
Jan 17, 2011
13
1
53
Change the permission of ln. Usually it will be located in /bin/ln (find it out by " which ln ")

do

Code:
chmod 760 /bin/ln
This is remove the execute permission of 'ln' command for other users.
 
  • Like
Reactions: Anh Nguyen

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
Change the permission of ln. Usually it will be located in /bin/ln (find it out by " which ln ")

do

Code:
chmod 760 /bin/ln
This is remove the execute permission of 'ln' command for other users.
This is an interesting suggestion. Can you better explain what negative impact this could have? Wouldn't it prevent all users from using symlinks?
 
Status
Not open for further replies.