[Forgot Password]
Login  Register Subscribe

23631

 
 

119105

 
 

98250

 
 

909

 
 

79281

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Improper Handling of Windows Device Names

ID: 67Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Variant





Description

The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

Extended Description

Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

Likelihood of Exploit: High to Very High

Applicable Platforms
Language Class: All
Operating System Class: Windows

Time Of Introduction

  • Architecture and Design
  • Implementation
  • Operation

Common Consequences

ScopeTechnical ImpactNotes
Availability
Confidentiality
Other
 
DoS: crash / exit / restart
Read application data
Other
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.
 
  

Relationships

Related CWETypeViewChain
CWE-67 ChildOf CWE-893 Category CWE-888  

Demonstrative Examples
None

Observed Examples

  1. CVE-2002-0106 : Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
  2. CVE-2002-0200 : Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
  3. CVE-2002-1052 : Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.
  4. CVE-2001-0493 : Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.
  5. CVE-2001-0558 : Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.
  6. CVE-2000-0168 : Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the "DOS Device in Path Name" vulnerability.
  7. CVE-2001-0492 : Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.
  8. CVE-2004-0552 : Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.
  9. CVE-2005-2195 : Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Windows MS-DOS device names
 
 
CERT C Secure Coding FIO32-C
 
Do not perform operations on devices that are only appropriate for files
 
 
CERT Java Secure Coding FIO00-J
 
Do not operate on files in shared directories
 
 
CERT C++ Secure Coding FIO32-CPP
 
Do not perform operations on devices that are only appropriate for files
 
 

References:

  1. M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Published on 2003.
  2. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 11, "Device Files", Page 666.'. Published on 2006.

© 2013 SecPod Technologies