Pig in a Poke: Automatically Detecting and Exploiting Link Following Vulnerabilities in Windows File Operations

Symbolic links are widely utilized in file operations on the Windows system to facilitate seamless interaction and enhance the overall user experience. However, developers' failure to properly validate symbolic links during the process of file operations has led to the Link Following Vulnerabilities (LFVulns), enabling attackers to manipulate system files arbitrarily.

In this paper, we conduct a comprehensive analysis of existing LFVulns and reproduce 42 of them for in-depth empirical research. Our findings uncover the root causes of LFVulns and identify key factors hindering their detection and exploitation. To bridge this gap, we developed LinkZard, a prototype for the automated detection and exploitation of LFVulns targeting Windows systems. LinkZard consists of two main phases. The exploration phase employs efficient file state fuzzing to better uncover potential vulnerabilities, while the exploitation phase locates sinks and utilizes code wrapping strategies to achieve automatic exploitation. We applied LinkZard to 120 commercial programs from vendors such as Microsoft, Apple, and Intel, successfully detecting and exploiting 55 zero-day vulnerabilities. We responsibly reported all identified vulnerabilities to the affected vendors. Up to now, 49 of them have been confirmed and patched, resulting in 15 CVE assignments and bounty rewards.