logo

UNIX Hard Link

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when an application opens a file or directory without verifying if the name points to a hard link that leads outside its intended security boundary. Attackers can exploit this to trick the software into accessing or modifying unauthorized system files.

Extended Description

Hard links allow multiple filenames to reference the same underlying data on a Unix-like filesystem. If a privileged application doesn't validate whether a provided path is a hard link, an attacker can replace an expected file with a link to a critical system file (like /etc/shadow). When the application performs operations, it unknowingly acts on the sensitive target instead. This bypasses intended access controls and can lead to privilege escalation or data corruption. For example, a log rotation tool running with elevated permissions might follow a hard link to overwrite a password file. Developers must explicitly check for hard links when handling files that require strict origin validation, especially in security-sensitive contexts.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read Files or DirectoriesModify Files or Directories
Potential Mitigations 1
Phase: Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
Observed Examples 10
CVE-2001-1494Hard link attack, file overwrite; interesting because program checks against soft links
CVE-2002-0793Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files.
CVE-2003-0578Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.
CVE-1999-0783Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.
CVE-2004-1603Web hosting manager follows hard links, which allows local users to read or modify arbitrary files.
CVE-2004-1901Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.
CVE-2005-0342The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file.
CVE-2005-1111Hard link race condition
CVE-2021-21272"Zip Slip" vulnerability in Go-based Open Container Initiative (OCI) registries product allows writing arbitrary files outside intended directory via symbolic links or hard links in a gzipped tarball.
CVE-2003-1366setuid root tool allows attackers to read secret data by replacing a temp file with a hard link to a sensitive file
References 1
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Functional Areas
  1. File Processing
Affected Resources
  1. File or Directory
Related Weaknesses
ChildOf: Improper Link Resolution Before File Access ('Link Following') (CWE-59)
Taxonomy Mapping
  • PLOVER
  • CERT C Secure Coding
  • Software Fault Patterns