Bugtraq mailing list archives

Re: Windows MS-DOS Device Name DoS vulnerabilities

From: Ewen McNeill <ewen () imatix com>
Date: Sun, 08 Jul 2001 09:57:57 +1200

In message <20010707085436.70904.qmail () web13001 mail yahoo com>, ByteRage writes:

Unfortunately, QueryDosDevice is not supported on some
flavours of windows. As stated on the Xitami Web
Server Support Mailing List
(http://xitami.ec-computers.net/2001/Apr/Msgs/l2w02603.html)

[..... quoting a message that I wrote on the Xitami users mailing list .....]

"As a result, I've rewritten the system_devicename()
detection routine that Xitami uses, to take a more
pragmatic approach:  [try QueryDosDevice(), then try fixed path names]
[.....]"
cfr http://www.imatix.co.nz/test/testwindev.c


Readers should note that this was an experiment with trying to make better
use of QueryDosDevice(), which didn't pan out.  As per my earlier post
to Bugtraq even this approach was not sufficient.  (Reading through the
Xitami list archives at the above website (through mid-May), and then
later at http://lists.xitami.org./pipermail/xitami/  (mid-May onwards)
gives more detail; the archives will be consolidated when we get time.)

In the end I concluded QueryDosDevice() simply was not suitable for
the purpose of determining whether a pathname would access a device or
not (due to unportability amongst various Win32 versions, inaccuracy on
various platforms (both false positives and false negatives), differences
in what it returned and what opening devices accepted, and the need to
test each portion of the path individually including doing processing
to strip off extensions, etc).

The eventual solution we went with is in the src/sfl/sflfile.c file in
Xitami 2.4d9 (release) and Xitami 2.5b5 (beta test); the source for both
is available from http://www.xitami.com/  Essentially we open the file
with the Windows API first, check that it is disk file (and fail the
open if it isn't), then reopen it with the unix-style interface wanted
by the rest of the software.  (Obviously this depends on having the OS
fix so that merely opening a device with the wrong path doesn't cause
the OS to crash.)

The eventual solution is a horrible kludge, but the 20+ year legacy
of devices being accessed through magic names that appear in every
directory is also a horrible kludge.  It was a somewhat cute trick when
I encountered it in CP/M, and understandable that it was in MS-DOS 1.0
given its heritage, but it really should never have been allowed to
persist 20 years later.

Ewen

-- 
Ewen McNeill, Technical Consultant, iMatix Corporation  www.imatix.com

Current thread:

Re: Windows MS-DOS Device Name DoS vulnerabilities, (continued)
- - Re: Windows MS-DOS Device Name DoS vulnerabilities ByteRage (Jul 06)
  - Re: Windows MS-DOS Device Name DoS vulnerabilities Michael Poole (Jul 07)
  - Re: Windows MS-DOS Device Name DoS vulnerabilities Alun Jones (Jul 07)
    - Re[2]: Windows MS-DOS Device Name DoS vulnerabilities 3APA3A (Jul 07)
  - Re: Windows MS-DOS Device Name DoS vulnerabilities Pavel Kankovsky (Jul 07)
    - Re: Windows MS-DOS Device Name DoS vulnerabilities Dennis Jenkins (Jul 09)
    - AW: Windows MS-DOS Device Name DoS vulnerabilities Martin Werner (Jul 16)
    - RE: Windows MS-DOS Device Name DoS vulnerabilities David LeBlanc (Jul 16)
- Windows MS-DOS Device Name DoS vulnerabilities richardca (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities ByteRage (Jul 07)
  - Re: Windows MS-DOS Device Name DoS vulnerabilities Ewen McNeill (Jul 09)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Dennis Jenkins (Jul 09)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Peter Gutmann (Jul 10)