According to Microsoft (MSRC), attacks involving symlinks stored on removable drives or in file system images (like VHDX) are not vulnerabilities.
If an unprivileged user manages to quickly replace a regular file in such a location with a symlink to another file (can point anywhere, even into the C:\Windows directory), this is okay.
This means that attackers can defeat existing symlink mitigations ("RedirectionTrust" plus "only privileged users can create symlinks to files") when they are capable of:
- attaching and mounting a removable drive (AV:P/PR:L), or
- mounting a VHDX image (AV:N/PR:N in the worst case, when a VHDX image is delivered via e-mail and then it gets double-clicked by a user, no code execution on the target machine required), or
- mounting a custom file-based container using disk encryption software like VeraCrypt (AV:L/PR:L, because anyone can mount a file-based container).
There is a small bonus: attackers win the race (against the program that follows symlinks when performing privileged operations) in almost every case, because the "replace a regular file with a symlink to another file" primitive comes from the NTFS driver, which performs "a more atomic" replace operation than any usermode application.
The secret is... This is about a crafted file system image, when the "\test\test.txt" file is opened/listed for the first three times (this number is attacker-controlled and can be tuned), it's a regular file; when this file is opened for the fourth time, it's a symlink (the actual replace is performed by the healing routines in the NTFS driver).
I'm attaching a screenshot demonstrating the "not-a-vulnerability".
Symlink attacks without code execution? Yes!
