Bugtraq mailing list archives
Re: Windows MS-DOS Device Name DoS vulnerabilities
From: Dennis Jenkins <djenkins () usb com>
Date: Mon, 09 Jul 2001 09:08:38 -0500
Pavel Kankovsky wrote:
On Fri, 6 Jul 2001, 3APA3A wrote:... and the problem is definitely in software, not in operation system, because operation system behaves exactly as expected and documented.But it is still OS's problem when the specification / documentation it conforms to is braindead. Adding implicit entries for devices into EVERY directory is definitely braindead. BTW: What will happen when Joe Luser creates a file called XYZ on day 1, installs a device driver called XYZ--adding XYZ to the list of magical filenames--on day 2, and tries to access XYZ on day 3? Inquiring minds want to know...
He will access the device. This is documented in the book "Undocumented Dos" (author, editor, press I don't remember). In the early days of DOS, there was a reason why this was done. But I don't remember that either. I should probably dig out my copy of this book... "Scandisk" and similar tools will rename the file (using God knows what API) if they come across it during a scan.
if( GetFileType(hFile) != FILE_TYPE_DISK ) { lstrcpy( lpszPath, TEXT("Invalid File Type") ); return( 0 ); }[...]Checks like this must be in "best coding practice", because even if security is not in question user can specify special device name by accident.Unfortunately, a user can specify such a name deliberately in order to do something meaningful (e.g. the old good "copy con filename"). Adding such a check to programs interpreting filenames given by an untrusted party is probably a good idea (both on MS Windows and unix-like OSes) but it is a more a desperate attempt to circumvent the lack of a better mechanism than "the best coding practice." BTW2: GetFileType() seems to take a handle as its argument, i.e. the caller must already have called OpenFile() in order to be able to use it--and call CloseFile() (CloseHandle()?) afterwards. Are OpenFile() and CloseFile() guaranteed to be free of dangerous side effects? --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
-- djenkins () usb com Universal Savings Bank. Security Administrator, Unix Administrator, Alpha Geek The three most dangerous things are a programmer with a soldering iron, a manager who codes, and a user who gets ideas.
Current thread:
- Windows MS-DOS Device Name DoS vulnerabilities ByteRage (Jul 05)
- Re: Windows MS-DOS Device Name DoS vulnerabilities 3APA3A (Jul 06)
- Re: Windows MS-DOS Device Name DoS vulnerabilities ByteRage (Jul 06)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Michael Poole (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Alun Jones (Jul 07)
- Re[2]: Windows MS-DOS Device Name DoS vulnerabilities 3APA3A (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Pavel Kankovsky (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Dennis Jenkins (Jul 09)
- AW: Windows MS-DOS Device Name DoS vulnerabilities Martin Werner (Jul 16)
- RE: Windows MS-DOS Device Name DoS vulnerabilities David LeBlanc (Jul 16)
- Re: Windows MS-DOS Device Name DoS vulnerabilities 3APA3A (Jul 06)
- <Possible follow-ups>
- Windows MS-DOS Device Name DoS vulnerabilities richardca (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities ByteRage (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Ewen McNeill (Jul 09)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Dennis Jenkins (Jul 09)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Peter Gutmann (Jul 10)