logo

Windows Hard Link

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when a Windows application opens a file or directory without properly verifying if the path points to a hard link. An attacker can exploit this by creating a hard link that redirects the application to access files outside its intended permissions, potentially leading to unauthorized data manipulation.

Extended Description

Windows hard links allow multiple file paths to point to the same underlying data on disk. If your application doesn't specifically check for and handle these links, an attacker can replace an expected file with a hard link to any other file on the same volume. This bypasses normal path-based security checks, as the application follows the link thinking it's accessing the original file. This becomes dangerous when privileged processes open files without link validation. For example, an attacker could link a temporary log file to a critical system file like AUTOEXEC.BAT. When the high-privilege process writes to what it thinks is a log, it actually overwrites system configuration. Similarly, reading operations could leak sensitive data, and deletion operations could damage system integrity by removing essential files through their alternate links.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read Files or DirectoriesModify Files or Directories
Potential Mitigations 1
Phase: Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
Observed Examples 2
CVE-2002-0725File system allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file.
CVE-2003-0844Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames.
References 1
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Operation
Functional Areas
  1. File Processing
Affected Resources
  1. File or Directory
Related Weaknesses
ChildOf: Improper Link Resolution Before File Access ('Link Following') (CWE-59)
Taxonomy Mapping
  • PLOVER
  • CERT C Secure Coding
  • Software Fault Patterns