...
If the process is running with elevated privileges, an attacker can exploit this code by, for example, by replacing the file with a symbolic link to the /etc/passwd authentication file. The attacker can then overwrite data stored in the password file to create a new root account with no password. As a result, this attack can be used to gain root privileges on a vulnerable system.
...
Hard links are problematic, because if a file has multiple hard links, it is impossible to distinguish which the original link came first. Likewise, it is impossible to distinguish from one which link might have originated from been created by a malicious attacker.
One way to deal with hard links is simply to disallow opening of any file with two or more hard links. The following code snippet, when inserted into the previous example will identify if a file has multiple hard links.
| Code Block | ||
|---|---|---|
| ||
if (orig_st.st_nlink > 1) {
/* file has multiple hard links */
}
|
Since Because a hard link may not be created if the link and the linked-to file are on different devices, many platforms will place system-critical files on a different device than user-editable files. For instance, the / directory, which contains critical system files like /etc/passwd would live on one hard drive, while the /home directory, which contains user-editable files, would live reside on a separate hard drive. This would prevent users prevents users, for example, from creating hard links to /etc/passwd.
...
Failing to check for the existence of links can result in a critical system file being overwritten, leading to a data integrity violationviolations.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
POS01-C | medium | likely | high | P6 | L2 |
...