The software, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.
Extended Description
Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. AUTOEXEC.BAT). When the process opens the file, the attacker can assume the privileges of that process, or prevent the program from accurately processing data.
Time of Introduction
Implementation
Operation
Applicable Platforms
Languages
All
Operating Systems
Windows
Common Consequences
Scope
Effect
Confidentiality
Integrity
Technical Impact: Read files or
directories; Modify files or
directories
File system allows local attackers to hide file
usage activities via a hard link to the target file, which causes the link
to be recorded in the audit trail instead of the target file.
Web server plugin allows local users to overwrite
arbitrary files via a symlink attack on predictable temporary filenames.
Potential Mitigations
Follow the principle of least privilege when assigning access rights
to files. Denying access to a file can prevent an attacker from
replacing that file with a link to a sensitive file. Ensure good
compartmentalization in the system to provide protected areas that can
be trusted.
[REF-7] Mark Dowd, John McDonald
and Justin Schuh. "The Art of Software Security Assessment". Chapter 11, "Links", Page 676.. 1st Edition. Addison Wesley. 2006.
Description
