Creating symbolics links on Windows systems  is a feature which has been added starting from Windows Vista.

Unlike Unix, where every user can create symbolic links,  in Windows,  to perform this operation you need a special privilege: SeCreateSymbolicLinkPrivilege.

This privilege, if granted, is only available in a high integrity level process.  The reason of this security countermeasures are not so clear.  Indeed, some abuse and eop has been documented here https://www.slideshare.net/OWASPdelhi/abusing-symlinks-on-windows , but there are other type of links you can create without any special privilege (ex: hard links)

MS also states that the privilege would prevent some unexpected behavior of softwares which does not know how to correctly handle symbolic links…

But back to us, why this post?

Because, recently I discovered that on my 2 Windows 10 boxes (ver. 1803 & 1809) a standard user was able to create symbolic links even without the SeCreateSymbolicLinkPrivilege.

symlink

This behavior drove me crazy and after some research (not too much accurate, I must admit), I asked Microsoft Security Reponse Center (MSRC) for further informations.

They immediately opened a case:

mail1.JPG

And after some hours they went back to me:mail2

 

Uhm… I found a bug on Windows 10 really?? Not possible, I’m not that expert,  so I decided to dig deeper and with a  precious hint of @tiraniddo i found the answer:

https://blogs.windows.com/buildingapps/2016/12/02/symlinks-windows-10/

In short,  if you have “Developer Mode” feature enabled on your Windows 10 box starting from 1803, any user can create symbolic links without any special privilege.

To be honest, I ran into this article before, but I thought it was related to the the possibility to have the SeCreateSymbolicLinkPrivilege enabled in a medium IL process.

MS added a speciale flag: SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE in the CreateSymbolicLink API call, available only in the “Developer Mode” feature mode, to permit the creation of symbolic links for an unprivliged user.

On the contrary, it is not necessary to  pass special instructions to the lower level API call:

DeviceIoControl(FileHandle, FSCTL_SET_REPARSE_POINT,….

 

Mistery solved, but I remain astonished that MSRC was not aware about this feature.

In Italy we say:

“The left hand does not know what the right hand is doing” 

 

Wish you all the best for 2019!

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s