Files are a significant attack vector for security boundary violation, yet a systematic understanding of the vulnerabilities underlying these attacks is lacking. To bridge this gap, we introduce the concept of File Hijacking Vulnerability (FHVuln) for the first time, which refers to the vulnerability that allows attackers to breach security boundaries by manipulating file content or file paths. We conduct the first empirical study on FHVulns, investigating 268 well-documented FHVuln CVE records from January 2020 to October 2022. Our study revealed the origins and triggering mechanisms of FHVulns and identified that existing techniques have overlooked the majority of FHVulns. As a result, we anticipated a significant prevalence of zero-day FHVulns in software. We developed a dynamic analysis tool, JERRY, which effectively detects FHVulns at runtime by monitoring program execution and simulating hijacking actions. We applied JERRY to 438 popular software programs from vendors like Microsoft, Google, Adobe, and Intel, and found 339 zero-day FHVulns. We reported all vulnerabilities identified by JERRY to the corresponding vendors, and as of now, 84 of them have been confirmed or fixed, with 51 CVE IDs granted and $83,400 bug bounties earned.
A file hijacking vulnerability identified by JERRY
Attacker Bob:
Try to Create C:\Users\Alice\.git\ => Failed
Try to Create C:\Users\.git\ => Failed
Try to Create C:\.git\ => Success (Hijack)
Victim Alice:
Alice Invoke git command under C:\Users\Alice
git search .git directory
C:\Users\Alice\.git\ => Not Exist
C:\Users\.git\ => Not Exist
C:\.git\ => Exist (Hijacked By Bob)
git use config under C:\.git\
exploit
The threat model of FHVulns and overview of our empirical Study
Attacker : Hijack File Content or File Path (RQ1)
VicTim:Use it. (RQ2 & RQ3)
Observation 1: Most (89.9%) hijacked files are due to the five search strategies employed by the programs and the underlying operating systems, while the rest come from files created by programs with weak permissions.
Observation 2: There are six types of dangerous operations on hijacked files subject to file hijacking attacks. Among the six types of operations, process creation and image loading are most frequently exploited (accounting for 28.4% and 45.1% of total vulnerabilities, respectively). The other four types of dangerous operations are moving (1.1%), reading (7.1%), creating (8.2%), and deleting (10.1%).
Observation 3: While the majority (62.3%) of FHVulns are exploited during the Starting up stage, FHVulns can be triggered at any stage during the software lifecycle, i.e., Installation(17.2%), Uninstallation(4.5%), Updating(1.9%) , Repairing(3.7%) and Usage(10.4%).
Event Trace Generator
Executes the target program at each stage and record executed file operation traces.
FHVuln Detector
Examines each execution traces and a FHVuln will be reported if the trace performs dangerous operations on hijacked files.
Path Pool Maintainer
Collects files encountered in the event trace and puts them into the path pool. In this step, JERRY also checks if the file refers to a normal file or a directory.
Path Hijacker
Tries to hijack and create each file in the path pool. In this regard, the path hijacker acts as an attacker with no administrator/root privilege to mimic the hijacking actions.
Known Vulnerability
51 FHVulns in Empirical Study
Unknow Vulnerability
438 Real-world software
FN Analysis for JERRY.
JERRY only missed one vulnerability, which all other baseline tools also missed. After investigation, we found that the missed vulnerability was CVE-2020-26284 [14], which existed in the file parsing module of the Go language standard library. The vulnerability required parsing specific content and invoking the relevant module to trigger it.
FP/FN Analysis for PrivescCheck and JERRY-Crassus.
We also analyzed the false positives/false negatives in PrivescCheck and JERRY-Crussus. For false positives, PrivescCheck reported 14 false positives, which resulted from its method of scanning the parent directory permissions when encountering an executable. In particular, if the parent directory has weak permissions, it will report a potential FHVuln as a result of DLL hijacking. However, it is possible that the executable is not loading any missing DLLs from that directory, which results in false positives. In addition, JERRY-Crassus checked all the recorded paths after running the software, and reported those with weak permissions, which resulted in seven false positives.
For false negatives, excluding the vulnerability (i.e., CVE-2020-26284) mentioned above that none of the three tools could detect, PrivescCheck failed to detect 30 vulnerabilities in total. 20 of these vulnerabilities resulted from its neglect of certain operations that could cause vulnerabilities, such as reading (10), creating (5), deleting (4), and moving (1). Moreover, PrivescCheck missed one vulnerability (i.e., CVE-2020-15145) because it only scanned the permissions in the installation directories listed in the registry. The remaining nine vulnerabilities were overlooked because it only considered the vulnerabilities during the installation phase. Similarly, JERRY-Crassus missed 13 vulnerabilities, with CVE-2020-26284 excluded. Among them, 10 false positives were reported because the tool did not take into account the impact of creating (5), deleting (4), and moving (1) operations. In addition, it only scanned a limited range of openssl.cnf, resulting in missing 3 out of 10 vulnerabilities related to read operations.
FP Analysis for JERRY.
JERRY has reported 21 false positive issues, all of which are related to read operation. For example, we discovered instances where an program reads file content without utilizing it or where the data is rendered useless. For instance, the Azure CLI leverages the “knack” package to load configuration settings, utilizing a bottom-up search policy to locate the “.azure/config” file. This process involves reading the contents of all identified files during initialization. However, the configuration settings used can be controlled by a parameter, making the content of the configuration file useless. It is worth noting that some configuration files
may not be suitable for Windows systems due to the use of Linux file paths, which may lead to hijacking. Additionally, it is important to mention that certain configurations can only be utilized in Linux systems (e.g.,
C:\etc\gcrypt\fips_enabled).
Case Studies.
We present two examples to demonstrate how the user interface exploration and path inference features of JERRY facilitate the detection of critical FHVulns.
CVE-D.
While testing Visual Studio, the UI Explorer of JERRY initially clicks the button labeled as “Git” and opens a menu list. Subsequently, from the menu list, the UI Explorer selects the item labeled as “Open git in cmd”. Visual Studio then searches for git.exe in CWD, which has weak permissions. JERRY detects this file operation and places a malicious git.exe in CWD. Moreover, it confirms that the malicious git.exe is successfully loaded into Visual Studio. JERRY automatically documents the detailed steps of the entire exploit process, as well as the potential security impacts (i.e., arbitrary code execution) for this vulnerability. We reported this FHVuln along with the generated steps to MSRC and received confirmed feedback quickly. Due to its severity, MSRC rewarded us with $30,000.
CVE-E.
Gem [48] is a package manager of Ruby programming language. While starting up, Gem attempts to access a file or directory with the path C:\ProgramData\gemrc. As the path does not exist, Gem stops to access the file or directory and continues executing the rest of the code. During
testing, JERRY detected this behavior and attempted to create a
malicious file with the path C:\ProgramData\gemrc for Gem. Gem was able to access the file and continued executing the rest of the code. As the rest of the code includes a reading operation, the malicious file was successfully loaded by Gem. Since C:\ProgramData\gemrc contains a URL to the central repositories, this FHVuln affects thousands of software packages built with Ruby. In other words, attackers can hijack links that lead to software package downloads. By redirecting these links to repositories under their control, attackers can plant malicious code in the software within the repositories. This nefarious activity has the potential to cause significant damage to the software supply chain.
Intel Bug Bounty with 5 FHVulns
Dell Bug Bounty with 6 FHVulns
Github Bug Bounty
Chrome Bug Bounty
Origins:
(a) clearly indicates that weak permissions of existing files was the most common origin of FHVulns, accounting for more than one-third (32%) of all occurrences. Dynamically loaded libraries was the second most frequent origin, accounting for 30% of the FHVulns. The remaining 38% was distributed among several other categories, including Linux paths on Windows (4%), unquoted paths (3%), path search order (6%), and bottom-up search (2%).
Operations:
(b) illustrates the distribution of various file operations. The chart shows the most prevalent types of file operations are reading (30%) and image loading (30%), followed by process creation (17%) and creating (17%). On the other hand, deleting (5%) and moving (1%) are the least frequent operations.
Stages:
(c) presents the distribution of various stages. The starting up stage accounts for the majority of FHVulns, representing 60% of the total occurrences. The installation stage follows with 31%, while the remaining stages, namely usage, uninstallation, and updating, account for only a minor fraction of 9%.
The bottom-up search strategy, a software tailored search strategy that led to eight new FHVulns in fundamental software like Git and Dotnet SDK that had gone unnoticed for 18 years, has not received extensive research attention.
Unlike built-in search strategies, this new type of strategy is OS-neutral and also results in eight FHVulns in our real-world experiment results. For instance, the vulnerability illustrated in Fig. 1 remained concealed in Git for 18 years, from the initial release of Git. Another similar FHVuln, CVE-F, was found in Dotnet SDK, which is the core functionality required to create Dotnet projects. Dotnet uses its own search strategies to locate the .config directory from the CWD to the root directory. When Dotnet is executed in a directory without a Dotnet project, it will eventually locates C:\.config, which can be hijacked by the attackers as C:\ is world-writable. By controlling the configuration in C:\.config\dotnet−tools.json, attackers can execute arbitrary code by making Dotnet download malicious tools from websites.
Reading operations result in more FHVulns than before (30.4% vs 7.1%), and they are more dangerous than we think.
Among existing FHVulns, only 7.1% of them involved reading operation, with 89.5% (17/19) of these cases attributed to reading the hijacked openssl.cnf file in OpenSSL library. In contrast, for new FHVulns, the percentage of reading operation is as high as 30.4% (103/339), representing a significant increase. Furthermore, the types of FHVulns involving reading operation in new FHVulns are more diverse than those in existing ones. Hijacking files with reading operation can lead to severe consequences, including arbitrary code execution (as illustrated in example case), URL redirection, and sensitive information disclosure. For example, CVE-B identified by JERRY enables attackers to hijack the settings.dat file, which contains a URL that Chrome uses to transmit diagnostic information to its servers. Attackers can replace the URL with their own URL to obtain the diagnostic information. Thus, reading operation poses greater risks than previously considered and requires more attention in the future.