Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

One most programming languages, including Rust, have wrappers around file systems. This includes creating, editing and deleting files. A common problem to worry about in these cases is symbolic links. If an attacker can convince a privileged program to use a file but is actually referenced to something else as a symbolic link, this can create major security problems.

As a result, Rust has built in protections for this type of attack. The standard program will NOT follow symbolic links unless it is explicitly allowed in the function call. For remove_dir_all, there is explicit documentation that says "This function does not follow symbolic links and it will simply remove the symbolic link itself." Awesome, so everything should be good!

Validating whether a file is a symbolic link or a regular file can go wrong in many ways though. These types of exploits commonly rely upon Time of Time vs. Time of Use (TOCTOU) vulnerabilities where the validation checks the security then an action is performed later. If, between the check and the use something is changed, then the original security validation can be bypassed.

In the case of files and symbolic links, the vulnerability is that a validation is done to see if the file is a symbolic link or not. If this check is passed, then the standard library will delete the directory since it believes that a symlink is not being used. However, this suffers from a TOCTOU problem. If the validation can see a file but then be swapped for a directory, the validation means nothing.

This race condition had an extremely tight window. But, with enough tries, an attacker would be able to exploit this. It is interesting that this was a known issue but the validation of the symlink suffered from the same bait and switch attack that was trying to be prevented. Good find!