Symbolic Link Exploit with Temporary Files Created in Shell Scripts

Many coders do not think that creating temporary files in a secure way is important, especially in shell scripts. It’s just a temporary file, they might say. But a simple symbolic link exploit could make the whole system unusable.

Let’s take a look at how this exploit works. Most often temporary files are created as follows within shell scripts.

command /path/to/file > /tmp/tempfile

An attacker, who knows the name of the temporary file, could just create a symbolic link of that file to a system file. For example, create a symbolic link /tmp/tempfile that points to /bin/bash.

# ls -l /tmp
lrwxrwxrwx  1 ibrahim users     6 Jan 22 22:55 tempfile -> /bin/bash

Now, if the script is run again (assuming with root privileges), the /bin/bash shell will get overwritten, making the system unusable.

ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, perl, php, python, java, javascript, nodejs, angular, react); plays_on(xbox, ps4); linux_desktop_user(true); }