CWE-65: Windows Hard Link
Learn about CWE-65 (Windows Hard Link), its security impact, exploitation methods, and prevention guidelines.
What is Windows Hard Link?
• Overview: Windows Hard Link vulnerability occurs when a program does not properly handle hard links, allowing attackers to manipulate file paths to unauthorized files outside the intended control area.
• Exploitation Methods:
- Attackers can replace a file used by a privileged program with a hard link to a sensitive file.
- Common attack patterns include privilege escalation by tricking a program into accessing files it shouldn't, and denial of service by redirecting file operations.
• Security Impact:
- Direct consequences include unauthorized file access and privilege escalation.
- Potential cascading effects could lead to broader system compromise and data corruption.
- Business impact may involve data breaches, loss of sensitive information, and damage to company reputation.
• Prevention Guidelines:
- Implement checks to ensure files accessed are within the intended directory and not linked to external paths.
- Adopt security best practices such as least privilege principle and regular audit logging.
- Utilize recommended tools and frameworks that provide secure file handling APIs and path validation.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
import os
def open_file(file_path):
# Vulnerable code: Opening a file without checking if it's a hard link
with open(file_path, 'r') as file:
content = file.read()
return content
# Usage example
# An attacker could create a hard link to a sensitive file outside the intended directory
# and trick this function into reading it.
How to fix Windows Hard Link?
To fix the Windows Hard Link vulnerability, you must ensure that the file being accessed is not a hard link to an unauthorized file. This can be done by checking the file's inode and file system to verify that it resides in the intended directory. Additionally, employing access controls and file system attributes can help prevent unauthorized link creation.
Specific Steps to Fix:
-
Check File Inode and File System: Before opening the file, ensure that its inode and file system are consistent with those of the directory where the file is expected to reside.
-
Restrict Hard Link Creation: Limit the ability of unauthorized users to create hard links in the file system.
-
Use Secure Directory and File Permissions: Ensure the directory and files have secure permissions to prevent unauthorized modifications.
Fixed Code Example
import os
import stat
def is_safe_file_access(file_path, directory):
# Check if the file's directory and inode match the expected directory
try:
file_stat = os.stat(file_path)
dir_stat = os.stat(directory)
# Ensure the file is on the same device and within the expected directory
return (file_stat.st_dev == dir_stat.st_dev and
os.path.commonpath([os.path.realpath(file_path), directory]) == os.path.realpath(directory))
except FileNotFoundError:
return False
def open_file(file_path, directory):
# Fixed code: Ensure the file is within the intended directory and not a hard link
if is_safe_file_access(file_path, directory):
with open(file_path, 'r') as file:
content = file.read()
return content
else:
raise PermissionError("Access to the file is unauthorized.")
# Usage example
# Securely open a file only if it resides within the specified directory
Explanation:
- Lines 12-17: The
is_safe_file_accessfunction checks that the file resides on the same file system (device) as the intended directory and usesos.path.realpathto resolve any symbolic links, ensuring the file is not a hard link to an unauthorized file. - Line 20: The
open_filefunction now includes a check to ensure the file access is safe before proceeding to open the file. - Line 22: If the file is not safe to access, an exception is raised to prevent unauthorized file operations.
This approach ensures that the application does not operate on files outside of its control sphere, mitigating the CWE-65 vulnerability.