{
	"id": "794ad72e-e6e5-4adb-9801-29e08af2c859",
	"created_at": "2026-04-06T00:21:34.520239Z",
	"updated_at": "2026-04-10T03:19:55.989008Z",
	"deleted_at": null,
	"sha1_hash": "c37776342e44872f253556addacc120090f03f10",
	"title": "CAPEC-132: Symlink Attack (Version 3.9)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55902,
	"plain_text": "CAPEC-132: Symlink Attack (Version 3.9)\r\nArchived: 2026-04-05 15:52:54 UTC\r\n Description\r\nAn adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint,\r\nassuming that it is accessing a file with the link's name.\r\n Extended Description\r\nThe endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a\r\nfile at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing\r\npermissions, or other modifications.\r\nIn some variants of this attack the adversary may be able to control the change to a file while in other cases they cannot. The\r\nformer is especially damaging since the adversary may be able to grant themselves increased privileges or insert false\r\ninformation, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or\r\napplication files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed\r\nmalformed input into the target or to cause the target to process different information, possibly allowing the adversary to\r\ncontrol the actions of the target or to cause the target to expose information to the adversary. Moreover, the actions taken on\r\nthe endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions\r\nthat the adversary would normally have.\r\n Likelihood Of Attack\r\n Typical Severity\r\n Relationships\r\nThis table shows the other attack patterns and high level categories that are related to this attack pattern. These\r\nrelationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels\r\nof abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack\r\npatterns that the user may want to explore.\r\nNature Type\r\nChildOf Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It\r\nThis table shows the views that this attack pattern belongs to and top level categories within that view.\r\n Execution Flow\r\nExplore\r\n1. Identify Target: Adversary identifies the target application by determining whether there is sufficient check before\r\nwriting data to a file and creating symlinks to files in different directories.\r\nTechniques\r\nThe adversary writes to files in different directories to check whether the application has sufficient checking\r\nbefore file operations.\r\nThe adversary creates symlinks to files in different directories.\r\nExperiment\r\n1. Try to create symlinks to different files: The adversary then uses a variety of techniques, such as monitoring or\r\nguessing to create symlinks to the files accessed by the target application in the directories which are identified in the\r\nexplore phase.\r\nTechniques\r\nThe adversary monitors the file operations performed by the target application using a tool like dtrace or\r\nFileMon. And the adversary can delay the operations by using \"sleep(2)\" and \"usleep()\" to prepare the\r\nhttps://capec.mitre.org/data/definitions/132.html\r\nPage 1 of 4\n\nappropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.)\r\ndepending on the purpose of the application.\r\nThe adversary may need a little guesswork on the filenames on which the target application would operate.\r\nThe adversary tries to create symlinks to the various filenames.\r\nExploit\r\n1. Target application operates on created symlinks to sensitive files: The adversary is able to create symlinks to\r\nsensitive files while the target application is operating on the file.\r\nTechniques\r\nCreate the symlink to the sensitive file such as configuration files, etc.\r\n Prerequisites\r\nThe targeted application must perform the desired activities on a file without checking whether the file is a symbolic link or\r\nnot. The adversary must be able to predict the name of the file the target application is modifying and be able to create a new\r\nsymbolic link where that file would appear.\r\n Skills Required\r\n[Level: Low]\r\nTo create symlinks\r\n[Level: High]\r\nTo identify the files and create the symlinks during the file operation time window\r\n Resources Required\r\nNone: No specialized resources are required to execute this type of attack. The only requirement is the ability to create the\r\nnecessary symbolic link.\r\n Consequences\r\nThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security\r\nproperty that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in\r\ntheir attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative\r\nto the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a\r\ncertain impact, but a low likelihood that it will be exploited to achieve a different impact.\r\nScope Impact Likelihood\r\nConfidentiality Other\r\nIntegrity Modify Data\r\nConfidentiality Read Data\r\nIntegrity Modify Data\r\nAuthorization Execute Unauthorized Commands\r\nhttps://capec.mitre.org/data/definitions/132.html\r\nPage 2 of 4\n\nAccountability\r\nAuthentication\r\nAuthorization\r\nNon-Repudiation\r\nGain Privileges\r\nAccess Control\r\nAuthorization\r\nBypass Protection Mechanism\r\nAvailability Unreliable Execution\r\n Mitigations\r\nDesign: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links\r\nbefore opening them.\r\nImplementation: Use randomly generated file names for temporary files. Give the files restrictive permissions.\r\n Example Instances\r\nThe adversary creates a symlink with the \"same\" name as the file which the application is intending to write to. The\r\napplication will write to the file- \"causing the data to be written where the symlink is pointing\". An attack like this can be\r\ndemonstrated as follows:\r\nroot# vulprog myFile\r\n{...program does some processing...]\r\nadversary# ln –s /etc/nologin myFile\r\n[...program writes to 'myFile', which points to /etc/nologin...]\r\nIn the above example, the root user ran a program with poorly written file handling routines, providing the filename\r\n\"myFile\" to vulnprog for the relevant data to be written to. However, the adversary happened to be looking over the shoulder\r\nof \"root\" at the time, and created a link from myFile to /etc/nologin. The attack would make no user be able to login.\r\n Taxonomy Mappings\r\nCAPEC mappings to ATT\u0026CK techniques leverage an inheritance model to streamline and minimize direct\r\nCAPEC/ATT\u0026CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant\r\nATT\u0026CK mappings. Note that the ATT\u0026CK Enterprise Framework does not use an inheritance model as part of the\r\nmapping to CAPEC.\r\nRelevant to the ATT\u0026CK taxonomy mapping (also see parent)\r\nEntry ID Entry Name\r\n1547.009 Boot or Logon Autostart Execution:Shortcut Modification\r\n References\r\n Content History\r\nSubmissions\r\nSubmission Date Submitter Organization\r\n2014-06-23\r\n(Version 2.6)\r\nCAPEC Content Team The MITRE Corporation\r\nModifications\r\nModification Date Modifier Organization\r\nhttps://capec.mitre.org/data/definitions/132.html\r\nPage 3 of 4\n\n2015-11-09\r\n(Version 2.7)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated References\r\n2017-08-04\r\n(Version 2.11)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Resources_Required\r\n2019-04-04\r\n(Version 3.1)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Consequences\r\n2020-07-30\r\n(Version 3.3)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Taxonomy_Mappings\r\n2022-02-22\r\n(Version 3.7)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Description, Example_Instances, Execution_Flow, Extended_Description, Prerequisites\r\n2022-09-29\r\n(Version 3.8)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Example_Instances\r\nMore information is available — Please select a different filter.\r\nSource: https://capec.mitre.org/data/definitions/132.html\r\nhttps://capec.mitre.org/data/definitions/132.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://capec.mitre.org/data/definitions/132.html"
	],
	"report_names": [
		"132.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434894,
	"ts_updated_at": 1775791195,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c37776342e44872f253556addacc120090f03f10.pdf",
		"text": "https://archive.orkl.eu/c37776342e44872f253556addacc120090f03f10.txt",
		"img": "https://archive.orkl.eu/c37776342e44872f253556addacc120090f03f10.jpg"
	}
}