logo

Windows Shortcut Following (.LNK)

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when an application opens a file or directory without properly validating that it is a Windows shortcut (.LNK). If the shortcut's target points to a location outside the application's intended security boundary, an attacker can trick the software into accessing unauthorized files.

Extended Description

Windows shortcut files (.LNK) contain a reference to a target file or folder, but they are separate objects with their own permissions. An application that fails to resolve the shortcut's final destination before performing operations can be manipulated. An attacker can place a malicious .LNK file in a location the application trusts, but configure it to point to a sensitive system file or a directory they shouldn't have access to, effectively bypassing intended access controls. This allows for unauthorized file reads or writes. For example, an application designed to process user-uploaded files in a sandboxed folder could be tricked into reading the Windows SAM database or overwriting a critical configuration file because it blindly follows the shortcut. The core security failure is not canonicalizing the path to the shortcut's true target and checking if that resolved path is within the allowed scope before proceeding.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read Files or DirectoriesModify Files or Directories
Potential Mitigations 1
Phase: Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
Observed Examples 7
CVE-2019-19793network access control service executes program with high privileges and allows symlink to invoke another executable or perform DLL injection.
CVE-2000-0342Mail client allows remote attackers to bypass the user warning for executable attachments such as .exe, .com, and .bat by using a .lnk file that refers to the attachment, aka "Stealth Attachment."
CVE-2001-1042FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
CVE-2001-1043FTP server allows remote attackers to read arbitrary files and directories by uploading a .lnk (link) file that points to the target file.
CVE-2005-0587Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.
CVE-2001-1386".LNK." - .LNK with trailing dot
CVE-2003-1233Rootkits can bypass file access restrictions to Windows kernel directories using NtCreateSymbolicLinkObject function to create symbolic link
Likelihood of Exploit

Low

Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Operation
Alternate Terms

Windows symbolic link following

symlink
Functional Areas
  1. File Processing
Affected Resources
  1. File or Directory
Related Weaknesses
ChildOf: Improper Link Resolution Before File Access ('Link Following') (CWE-59)
Taxonomy Mapping
  • PLOVER
  • CERT C Secure Coding
  • Software Fault Patterns
Notes
Research GapUnder-studied. Windows .LNK files are more "portable" than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.