Corgea LogoCorgea Security Hub

CWE-62: UNIX Hard Link

Learn about CWE-62 (UNIX Hard Link), its security impact, exploitation methods, and prevention guidelines.

• Overview: UNIX Hard Link vulnerability occurs when an application does not adequately check if a file or directory name is associated with a hard link to a different file outside its intended control, potentially allowing unauthorized file operations.

• Exploitation Methods:

  • Attackers can exploit this by creating hard links to sensitive files, thus tricking the application into operating on files they should not access.
  • Common attack patterns include replacing a file used by a privileged program with a hard link to a critical system file, like /etc/passwd, to elevate privileges.

• Security Impact:

  • Direct consequences include unauthorized access to or modification of sensitive files.
  • Potential cascading effects include privilege escalation, data corruption, and system compromise.
  • Business impact involves data breaches, loss of customer trust, and potential legal ramifications.

• Prevention Guidelines:

  • Specific code-level fixes include validating file paths and ensuring operations are executed within intended directories.
  • Security best practices involve minimizing privileged operations and employing strict access controls.
  • Recommended tools and frameworks include using secure file handling libraries and implementing filesystem monitoring tools to detect unauthorized hard link creation.
Corgea can automatically detect and fix UNIX Hard Link in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

import os

def open_file(user_input_path):
    # Attempt to open a file based on user input path
    with open(user_input_path, 'r') as file:
        data = file.read()
    return data

# User provides a path to a file
user_input_path = "/tmp/user_data.txt"
file_data = open_file(user_input_path)
print(file_data)

Explanation of Vulnerability

  • In the above code, the open_file function attempts to open a file at the path provided by the user.
  • If the file /tmp/user_data.txt is replaced with a hard link to a sensitive file (e.g., /etc/passwd), the program will open and potentially read the contents of the unauthorized file.
  • This is an instance of CWE-62 (UNIX Hard Link) vulnerability, as the code does not ensure the file being opened is within an intended control sphere.
  • The code does not perform any checks to ensure that the file is not a hard link to a sensitive file, leading to potential unauthorized access.

To fix this vulnerability, we need to ensure that the file being accessed is within a trusted directory or scope. This can be achieved by:

  1. Check File Ownership: Ensure the file is owned by an expected user or group.
  2. Use Secure Directories: Restrict file operations to secure directories where hard links cannot be maliciously created by unauthorized users.
  3. Canonical Path Verification: Resolve the canonical path of the file and verify it resides within an allowed directory.
  4. Use File Descriptors: Utilize file descriptors for file operations when possible, which are less susceptible to link attacks.

Fixed Code Example

import os

def open_file(user_input_path):
    # Resolve the canonical path
    real_path = os.path.realpath(user_input_path)
    allowed_directory = "/trusted_directory"
    
    # Verify the file's path is within the allowed directory
    if not real_path.startswith(allowed_directory):
        raise PermissionError("Access to the file is not allowed.")
    
    # Check file ownership to ensure it is not a hard link to a sensitive file
    if os.stat(real_path).st_uid != os.getuid():
        raise PermissionError("File ownership does not match the expected user.")
    
    # Open the file if it is within the trusted directory and ownership is verified
    with open(real_path, 'r') as file:
        data = file.read()
    return data

# User provides a path to a file
user_input_path = "/trusted_directory/user_data.txt"
file_data = open_file(user_input_path)
print(file_data)

Explanation of Fix

  • Canonical Path Resolution: We use os.path.realpath() to resolve the provided path to its canonical form. This helps in identifying any symbolic or hard links.
  • Directory Restriction: We restrict the operation to a specific directory (/trusted_directory) and verify that the resolved path starts with this directory path. This ensures that the file is within the permissible area.
  • Ownership Verification: We check that the file is owned by the expected user using os.stat() to prevent unauthorized access through hard links.
  • Error Handling: If the file is outside the allowed directory or ownership does not match, we raise a PermissionError, preventing unauthorized access.
  • This approach ensures that even if a hard link is created, it will not affect the program's ability to enforce its access control policy.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-62: UNIX Hard Link and get remediation guidance

Start for free and no credit card needed.