Solutions for handling symlink attacks

[HostingH]

Mod Note: Please see the summary here: Solutions for handling symlink attacks
=

How to prevent following on the server.

Server got hacked by creating symlink under non root user.

Example: Once you cd 1.txt then you will get full access to /

1.txt -> //

Please advise.

 

[lbeachmike]

Looks like this must be the latest and greatest hack out there because I just encountered the identical issue with one of my own server. I've been hard-pressed to find anything documented of how to prevent against this.

Any advice would be much appreciated.

Thanks.

 

[HostingH]

Hi lbeachmike,

We can disable it in httpd.conf but hacker is enabling it under .htaccess as follows. So we can not disable it in Apache configuration. Also chmoded 700 to ln.
-----------
Options +FollowSymLinks
-----------

Please advise us.

 

[cPanelTristan]

How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

<Directory "/">
    Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
    AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
    Options Includes Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>

The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.

 

[IBZ]

How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

<Directory "/">
    Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
    AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
    Options Includes Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>

The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.

FollowSymLinks still can be enabled by .htaccess .
Im also looking for solution for this issue .

 

[majidnt]

You shoud use this code on /usr/local/apache/conf/includes/pre_virtualhost_2.conf
But it's not enough to prevent USING symlinks,attackers upload 1.zip and extract it,the file contain a ready-to-use symlink

How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

<Directory "/">
    Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
    AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
    Options Includes Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>

The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.

 

[lbeachmike]

You shoud use this code on /usr/local/apache/conf/includes/pre_virtualhost_2.conf
But it's not enough to prevent USING symlinks,attackers upload 1.zip and extract it,the file contain a ready-to-use symlink

Excellent point - bringing my question back to -

Is there a way to ensure that a user would in no way have access to files outside of their home directory? I realize the symlink looks and feels like part of the home directory, but there certainly must be some viable solution to this otherwise any hacker can fully exploit any server with the very same recipe.

mrk

 

[HostingH]

Hello,

Can we set Sticky bit for / or /home so only owner can delete/modify the files like /tmp?

 

[KhensU]

So other than disabling FollowSymlinks all together are their any other solutions to this? We just got hit as well.

 

[neutro]

Got hit like this as well. how to prevent -if we disable follow symlinks any impact on web sites?

 

[DomineauX]

Seeing more of these attacks as well lately.

 

[astopy]

Wait... creating a symlink to / won't give the user write access to anything they didn't already have write access to -- symlinks don't give the user any extra privileges. What exactly is the problem here?

I'm aware of the problems of Apache following symlinks to other users' files, but as someone already pointed out all you need to do to stop that is disable FollowSymlinks, turn on SymLinksIfOwnerMatch and make sure FollowSymlinks isn't in AllowOverride. (And also be prepared to deal with all the support requests from people who try to install scripts with "Options +FollowSymlinks" in their default .htaccess files. Joomla, I'm looking at you :p)

 

[BigLebowski]

What exactly is the problem here?

It's a massive problem. It allows a hacker to browse all public_html areas on the server. All our Wordpress config files were world-readable (644) therefore the hacker could plunder any user's Wordpress install. I have worked around this by chmodding all wp-config.php files 600 (it's a SuPHP server) and am now doing Joomla, but in theory I need to chmod 600 ALL users files on the server containing any password. It's a nuisance having to do this and of course i need to cron job it so that all new sensitive files uploaded are similarly chmodded if world-readable.

 

[astopy]

It's a massive problem. It allows a hacker to browse all public_html areas on the server. All our Wordpress config files were world-readable (644) therefore the hacker could plunder any user's Wordpress install. I have worked around this by chmodding all wp-config.php files 600 (it's a SuPHP server) and am now doing Joomla, but in theory I need to chmod 600 ALL users files on the server containing any password. It's a nuisance having to do this and of course i need to cron job it so that all new sensitive files uploaded are similarly chmodded if world-readable.

Again, surely disabling FollowSymlinks and only allowing SymLinksIfOwnerMatch would prevent that?

 

[BigLebowski]

Astopy: does that interfere with any existing apps such as Joomla and Wordpress? I like the sound of "SymLinksIfOwnerMatch". We would need to disable local php.ini also, which is allowed currently.

Best
Dude

 

[astopy]

Astopy: does that interfere with any existing apps such as Joomla and Wordpress? I like the sound of "SymLinksIfOwnerMatch". We would need to disable local php.ini also, which is allowed currently.

Joomla will show an internal server error with its default .htaccess file, because it includes Options +FollowSymlinks. Wordpress won't have any problems, and I haven't come across any major app other than Joomla that specifically tries to enable FollowSymlinks. Fixing the error is just a case of deleting (or commenting out) the FollowSymlinks line.

Since disabling FollowSymlinks we do occasionally get questions from customers who can't get Joomla to work, but we've decided that it's worth the extra support overhead to improve security.

 

[cPanelKenneth]

Please keep in mind that SymLInksIfOwnerMatch is in no way a security restriction. See the Apache Group's own words on this here core - Apache HTTP Server

 

[astopy]

This option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable.

Interesting. So, an attacker could request a regular file and then delete the file and replace it with a symlink after Apache checks what kind of file it is and before it reads the file. Correct?

I guess this would at least make the attack much harder, even if it doesn't guarantee that it would be prevented.

 

[ServerMascot]

Change the permission of ln. Usually it will be located in /bin/ln (find it out by " which ln ")

do

chmod 760 /bin/ln

This is remove the execute permission of 'ln' command for other users.

 

[lbeachmike]

Change the permission of ln. Usually it will be located in /bin/ln (find it out by " which ln ")

do

chmod 760 /bin/ln

This is remove the execute permission of 'ln' command for other users.

This is an interesting suggestion. Can you better explain what negative impact this could have? Wouldn't it prevent all users from using symlinks?