Bugtraq mailing list archives
RE: Windows MS-DOS Device Name DoS vulnerabilities
From: "David LeBlanc" <dleblanc () mindspring com>
Date: Mon, 16 Jul 2001 12:26:09 -0700
-----Original Message----- From: Martin Werner [mailto:bugtraq () martinwerner de] Sent: Monday, July 16, 2001 3:31 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: AW: Windows MS-DOS Device Name DoS vulnerabilities Just want to give a new thought. Fact is, that on the one hand side, its merely impossible to write an safe ftp server using Microsofts Filesystem, because device names can cause trouble (and I think, this is not a bug, but it's been discussed)
I beg to differ. First, let's distinguish between file systems. If you say that it wouldn't be advisable to write a FTP server designed to run on FAT file systems, then I'd be inclined to agree. You can, OTOH, do a lot of work to re-implement file system security sufficient for a FTP server and be OK. Now, on to the issue with device names - this isn't all that terribly difficult, and is part of proper file canonicalization practices. A call to CreateFile() on a device name will always succeed (or possibly blow up an unpatched Win9x system, so go get the patch or consider running your FTP server on NT or Win2k). Next, a call to GetFileInformationByHandle() will always fail if it is a device. GetFileType() can also be used to determine whether something is a device. David LeBlanc dleblanc () mindspring com
Current thread:
- Windows MS-DOS Device Name DoS vulnerabilities ByteRage (Jul 05)
- Re: Windows MS-DOS Device Name DoS vulnerabilities 3APA3A (Jul 06)
- Re: Windows MS-DOS Device Name DoS vulnerabilities ByteRage (Jul 06)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Michael Poole (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Alun Jones (Jul 07)
- Re[2]: Windows MS-DOS Device Name DoS vulnerabilities 3APA3A (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Pavel Kankovsky (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Dennis Jenkins (Jul 09)
- AW: Windows MS-DOS Device Name DoS vulnerabilities Martin Werner (Jul 16)
- RE: Windows MS-DOS Device Name DoS vulnerabilities David LeBlanc (Jul 16)
- Re: Windows MS-DOS Device Name DoS vulnerabilities 3APA3A (Jul 06)
- <Possible follow-ups>
- Windows MS-DOS Device Name DoS vulnerabilities richardca (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities ByteRage (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Ewen McNeill (Jul 09)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Dennis Jenkins (Jul 09)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Peter Gutmann (Jul 10)