Protection against TOCTOU attacks for win32 API

Recently a security researcher sent us a CVE in our code where we are trying to use windows DeleteFileW and MoveFileW APIS and the researcher claims that they have scripts/code which can hijack the path sent to these APIs and replace them with symbolic links to windows system32 files or other sensitive files causing us to delete or move them. Our code runs as a privileged service and hence we need to prevent this kind of attack.

Since we are using Win32 APIs what is the best way forward? Our service needs to work on Win7 and above.

I’m not sure I understand your problem.

If your program is being attacked such that a path is being corrupted, isn’t the correct course of action to stop the name being changed? If the problem is that DeleteFileW is deleting the wrong file then I think the WIN32 development team need to know…

If you have a problem which is “I get a file name - I establish that this file name is one I am interested in, but when I delete the name isn’t correct” then I do not understand how this can happen: if it is a hard link then it is the link that is removed, if it is a soft link (of any sort) then ditto.

But regardless you could consider getting a HANDLE to the file, do all the tests on the HANDLE and then if its what you want issue a NtSetFileInformation to FileDispositionInformation.

@rod_widdowson said:

But regardless you could consider getting a HANDLE to the file, do all the tests on the HANDLE and then if its what you want issue a NtSetFileInformation to FileDispositionInformation.

This is what we now intend to do now, and drop using DeleteFile, which takes a path, and not a handle to the file name. However, rolling our own MoveFile is more complex than DeleteFileW.

the researcher claims that they have scripts/code which can hijack the path sent to these APIs and replace them with symbolic links to windows system32 files or other sensitive files causing us to delete or move them.

The question is, can they do this from non-privileged context or not? If they can create a link to a privileged file and you use it to write/delete thing, maybe keep all your data in places protected by proper ACLs.
If you write or delete files in places writable by non-privileged users, double check the filename/path after opening, as rod_widdowson advises.

For example after you open c:\users\dodo\foo.txt, call GetFinalPathNameByHandle and see if the path still is c:\users\dodo rather than in \windows\system32.

–pa

1 Like

@Albert said:
Recently a security researcher sent us a CVE in our code where we are trying to use windows DeleteFileW and MoveFileW APIS and the researcher claims that they have scripts/code which can hijack the path sent to these APIs and replace them with symbolic links to windows system32 files or other sensitive files causing us to delete or move them. Our code runs as a privileged service and hence we need to prevent this kind of attack.

Since we are using Win32 APIs what is the best way forward? Our service needs to work on Win7 and above.

hi,
did you mean Dll Hijack happen?

@Pavel_A said:

the researcher claims that they have scripts/code which can hijack the path sent to these APIs and replace them with symbolic links to windows system32 files or other sensitive files causing us to delete or move them.

The question is, can they do this from non-privileged context or not? If they can create a link to a privileged file and you use it to write/delete thing, maybe keep all your data in places protected by proper ACLs.
If you write or delete files in places writable by non-privileged users, double check the filename/path after opening, as rod_widdowson advises.

For example after you open c:\users\dodo\foo.txt, call GetFinalPathNameByHandle and see if the path still is c:\users\dodo rather than in \windows\system32.

–pa

Yes, we are now moving towards hybrid approach something similar to what you and Rod suggested. These are generic files, not our files, so we can not ACL protect them. The botheration is about having to roll our own APIs, which I really wanted to avoid.

@sennin said:

@Albert said:
Recently a security researcher sent us a CVE in our code where we are trying to use windows DeleteFileW and MoveFileW APIS and the researcher claims that they have scripts/code which can hijack the path sent to these APIs and replace them with symbolic links to windows system32 files or other sensitive files causing us to delete or move them. Our code runs as a privileged service and hence we need to prevent this kind of attack.

Since we are using Win32 APIs what is the best way forward? Our service needs to work on Win7 and above.

hi,
did you mean Dll Hijack happen?

in our case, not specifically DLLs, but yes, that happen also happen.

Yeah, Windows uses this approach when a privileged service is trying to verify that it opened (and is preparing to work with) the intended file. You may also find checking of file hard link count (which is now kinda obsolete because it is no longer possible to create hardl inks without the FILE_WRITE_ATTRIBUTES access right).

Also, you may consider taking advantage of user impersonation. For example, if your service receives input from an unprivileged process, it may impersonate its user (e.g. ImpersonateNamedPipeClient) in order not to operate with higher privileges. In that case, the service will not be able to delete system files simply because the user has no rights to do so.