Re: Windows MS-DOS Device Name DoS vulnerabilities

[ByteRage <byterage () yahoo com>]

Unfortunately, QueryDosDevice is not supported on some
flavours of windows. As stated on the Xitami Web
Server Support Mailing List
(http://xitami.ec-computers.net/2001/Apr/Msgs/l2w02603.html)

(start quote)
"Alas there was a bug in this code, and worse,
QueryDosDevice() isn't as well supported as one might
wish (or it appears even as well supported at it is
documented to be). The MSDN documentation claims
it is supported under Windows 98, and Windows NT/2000
(but not Win95), however based on the tests I've been
able to do to date: 

-- NT 4 SP 6a: supported, recognises all devices
(except, strangely LPT1 to LPT3 -- possibly because
the machine I was testing on has no printer support at
all, not even printer ports IIRC) 

-- Windows 98 SE: always returns "invalid parameters",
even for code that works just fine under NT 4 SP 6a. 

-- Windows 98 SE2: always returns "invalid
parameters", even for code that works just fine under
NT 4 SP 6a. 

-- Windows 95 OEM2: returns "unsupported" for most
devices, but also indicates that COM1 to COM4, and
LPT1 to LPT3 are devices (rather strange behaviour for
something that's otherwise unsupported!) 

As a result, I've rewritten the system_devicename()
detection routine that Xitami uses, to take a more
pragmatic approach: 

-- On a Win32 platform it tries calling
QueryDosDevice(); if it gets a sensible answer back
("I recognise that as a device", or "I don't recognise
that as a device"), then it believes what Windows is
saying, and acts accordingly. 

-- On non-Win32 platforms (DOS, OS/2), and on Win32
platforms where QueryDosDevice() returns silly results
(eg, Invalid parameters, Unsupported, etc), it checks
against a hard coded list of known problem device, as
previously listed here. " (end quote)

cfr http://www.imatix.co.nz/test/testwindev.c

--- Chad Loder <cloder () acm org> wrote:
> I agree that enumerating special DOS devices is
> not the best way to protect yourself, but just as
> a point of fact, it's easy to enumerate them. Here's
> a quick program I wrote to demonstrate:
>
> // enumdev.cpp
> #define WIN32_LEAN_AND_MEAN
> #include <windows.h>
> #include <stdio.h>
> #include <tchar.h>
>
> int main(int argc, char* argv[])
> {
>     LPTSTR devices = new TCHAR[8191];
>     DWORD dwRet = QueryDosDevice(NULL, devices,
> 8191);
>     if (0 == dwRet)
>     {
>        DWORD err = GetLastError();
>        printf("Could not query DOS devices: %d\n",
> err);
>     }
>     else
>     {
>        LPTSTR dev = devices;
>        while (*dev != '\0')
>        {
>        printf("%s\n", dev);
>        dev += ( (_tcslen(dev) + 1) * sizeof(TCHAR));
>        }
>     }
>     return (dwRet != 0);
> }
> // end enumdev
>
> On my system, this returns a huge list. I have no
> idea what 90% of these devices mean, what the GUIDs
> are for, etc. Of particular interest to me are the
> devices named IPSECDev, IPFILTER, IPMULTICAST, etc.


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/