Insecure Operation on Windows Junction / Mount Point
This vulnerability occurs when a Windows application opens a file or directory without properly validating that the path is not a symbolic link (junction or mount point) pointing to a location outside the application's intended security boundary.
On Windows NTFS file systems, junction points and mount points are types of symbolic links (reparse points) that can redirect file operations from one directory to another, potentially to a completely different drive or privileged location. If an application with elevated privileges opens a file without checking for these links, an attacker can replace the expected file with a link to a sensitive system file, registry key, or named object, tricking the application into performing unauthorized read, write, or delete operations. This allows privilege escalation or data manipulation because the privileged process unknowingly operates on the attacker's target. For example, an attacker could redirect a file operation to AUTOEXEC.BAT, critical configuration files, or security databases, causing the application to corrupt, expose, or modify sensitive data with its own high-level permissions. Developers must explicitly validate paths and handle reparse points to confine operations within the intended directory scope.
Impact: Read Files or Directories
Read arbitrary files by replacing a user-controlled folder with a mount point and additional hard links.
Impact: Modify Files or Directories
Modify an arbitrary file by replacing the rollback files in installer directories, as they can have the installer execute those rollbacks.
Impact: Modify Files or Directories
Even if there is no control of contents, an arbitrary file delete or overwrite (when running as SYSTEM or admin) can be used for a permanent system denial-of-service, e.g. by deleting a startup configuration file that prevents the service from starting.
Strategy: Separation of Privilege