Re[2]: Windows MS-DOS Device Name DoS vulnerabilities

[3APA3A <3APA3A () SECURITY NNOV RU>]

Hello Alun,

I'm not right writing I _completely_ disagree. In fact I disagree with
conclusion of original message:

-=-=-=-=-=-
CONCLUSION : patch your OS, and stop whining about so
called 'bugs' in applications, you will never be able
to completely patch the problem that way.
-=-=-=-=-

I'd like to change this to:

CONCLUSION  :  patch  your  OS and applications which do not check for
special devices.

I think you catch the difference. Sure, if application does check type
of the file, but system crashes before - it's only OS problem.

BUT:

Most  of latest DOS device holes discussed on Bugtraq (for example few
holes  in  ASP.DLL)  HAVE  NO  RELATION  to Windows 95/98/ME bug. It's
application bug.

I  know  my  English  is  far  for being perfect. Let me illustrate my
opinion.

Imagine  you have vulnerable application (A) which saves user supplied
file  with  user  supplied  name (FTP server, for example) without any
check for file type. You use this server in 2 different installations:

 I1: Unpatched Windows 98 (with "blue screen" bug)
 I2: Windows NT 4.0 (it doesn't have this bug)

Someone  is  trying  to save file with name com1. In case of I1 you'll
get "blue screen". It's not right! Yes! System MUST be patched! But in
case  of  I2 this file will be successfully dumped to your modem... Do
you need new firmware? :))

If  WFTPD  is  safe  -  nice  for  you,  but have you tested different
software? I did. I didn't tested ftp servers and not going to, cause I
needn't  ftp  server  under  Windows.  I  check  for bugs software I'm
working with. Results are very sad.

AJ> The person quoted here doesn't indicate whether it is merely opening the
AJ> device files, or trying to access (read or write) their contents, is what 
AJ> will "wedge the DOS box" - if the former, then GetFileType is sadly of no 
AJ> assistance.

In  fact, he did, because we discussed some concrete kind of software.
This  was  said  about writing of special devices. But reading of some
devices  can  probably  lead  to  DoS  too  (at  least it can increase
processor or disk usage for huge period of time).

--Friday, July 06, 2001, 10:00:35 PM, you wrote to 3APA3A () SECURITY NNOV RU:

AJ> At 04:46 AM 7/6/2001, 3APA3A wrote:
> > I completely disagree with your paper. It puts software developers and
> > users into false sense of security. Right now SECURITY.NNOV is working
> > out  few  MS-DOS  Device Name issues with vendors (not only in Windows
> > 95/98/ME  but  also  in  NT/2000),  and  the  problem is definitely in
> > software,  not  in  operation system, because operation system behaves
> > exactly  as  expected  and  documented.  Later  we  will  publish  our
> > advisory.  Software  MUST check type of file it tries to access BEFORE
> > it  access  it,  if  this  can cause access to special device. Special
> > devices  under  Windows  allow raw access to ports, drives, tapes, etc
> > and  impact  of  such access can be same with impact of accessing /dev
> > under unix.

AJ> The hole that ByteRage discussed was most _definitely_ a flaw in system 
AJ> security, wherein merely trying to open a file with a path name that 
AJ> contained two DDNs would cause a BSoD.  Your suggested workaround of 
AJ> GetFileType() requires a handle to an open file, which you cannot get 
AJ> without (tada!) opening the file, which itself would have caused the crash.

> > MS  patched one hole, which causes Windows 95/98/ME to crash then some
> > API call refer to any special device. This patch doesn't solve problem
> > of  special devices, because _successful_ access to such devices under
> > Windows can lead to much greater impact.

AJ> This is a second issue with device names, and is not touched on by 
AJ> ByteRage's initial posting in this thread.  You aren't disagreeing with 
AJ> ByteRage, you're posting something additional that just happens to share 
AJ> the detail of access to devices through file-like paths.

> > Also, enumeration of special device names is bad idea. New versions of
> > Windows     can     introduce     new     devices.    Eugene    Roshal
> > (http://www.rarsoft.com),  developer  of  well-known utilities Far and
> > Rar,  recommends  use  of GetFileType() API. In MS source examples you
> > can find a lot of:

AJ> Enumeration of special devices, by an API, would be most useful, because 
AJ> then an application could prohibit access to device names _prior_ to having 
AJ> to open the file.  Should there be future bugs discovered in opening device 
AJ> specifiers, it'd be nice to be able to say "filter all input paths and 
AJ> remove any specification that matches a device name".  Currently, there is 
AJ> no API to do this.

> > According to  Mr.  Roshal  FILE_TYPE_CHAR and FILE_TYPE_PIPE probably
> > refer to special device names.

AJ> According to the documentation:

AJ> FILE_TYPE_UNKNOWN - The type of the specified file is unknown.
AJ> FILE_TYPE_DISK - The specified file is a disk file.
AJ> FILE_TYPE_CHAR - The specified file is a character file, typically an LPT 
AJ> device or a console.
AJ> FILE_TYPE_PIPE - The specified file is either a named or anonymous pipe.

> > Also,  `prn'  and  `lpt1'  are just a sample of the special names. Any
> > device driver which can be reached by opening a special file name will
> > cause  such  problems;  thus the list of the offending names cannot be
> > known  in advance, since additional device drivers can be installed on
> > the target system.

AJ> A list compiled programmatically at the start of operation would be 
AJ> somewhat more useful.  While it's true that additional device drivers can 
AJ> be installed while a program is running, I wonder if these are given DDNs?

> > In  addition,  the  file-name  extension  is ignored when the basename
> > matches.  So  `aux.lst', `prn.c', `con.foo', and an infinite number of
> > other  similar  names--all  of them are prone to this problem. Some of
> > the  devices  will actually wedge the DOS box ... kids, don't try that
> > at home!

AJ> The person quoted here doesn't indicate whether it is merely opening the 
AJ> device files, or trying to access (read or write) their contents, is what 
AJ> will "wedge the DOS box" - if the former, then GetFileType is sadly of no 
AJ> assistance.

AJ> Alun.
AJ> ~~~~

AJ> --
AJ> Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
AJ> 1602 Harvest Moon Place   | http://www.wftpd.com or email alun () texis com
AJ> Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
AJ> Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.


-- 
~/3APA3A
ЭНИАКам - по морде!  (Лем)