Windows MS-DOS Device Name DoS vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AFFECTED SYSTEMS Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows 98 SE DESCRIPTION This post is some kind of reply to all previous posts about win32 (server)applications filtering out MS-DOS Device Names (DDNs) to prevent requests for files such as \CON\CON from crashing the operating system. As these vulnerabilities exist due to a very internal operating system flaw (ring0 device drivers), I don't think it is the application programmer's fault nor their responsibility to provide filtering for a bug where they don't know the exact cause or background of. Because the flaw is within the operating system I think it's obvious that the *operating system* itself is patched, instead of rewriting the applications running under it to have filtering... The reason for this is simple : it creates a false feeling of security. In alot of cases where applications have filtering for these bugs, they don't filter every DDN nor do they provide a *real* solution to the problem (checking whether the requested path contains a DDN using OS calls), as is the case with the OS patch. Conclusion : applications should not filter out DDNs, because they don't fix the problem (basically they make it even worse), the OS patch is better because it fixes *ALL* problems, and if it wouldn't then that's where this discussion should be about. To illustrate this problem, here's an uncomplete list of some of the DDNs that I know of : CON,AUX,NUL,PRN,LPT1,LPT2,LPT3,LPT4,LPT5,LPT6,LPT7,LPT8,LPT9,COM1,COM2,COM3,COM4,COM5,COM6,COM7,COM8,COM9,CLOCK$,CONFIG$,XMSXXXX0,$MMXXXX0,MSCD000,DBLBUFF$,EMMXXXX0,IFS$HLP$,SETVERXX,SCSIMGR$,DBLSBIN$, MS$MOUSE, etc... etc... (I'm pretty sure that you can find a shitload more by typing MEM /DEBUG |MORE in a DOS window or doing some research) This list illustrates 3 things : 1) not every list of DDNs is complete 2) almost every computer has it's own drivers and associated (vulnerable) DDNs 3) it is virtually impossible for applications to block all DDNs CONCLUSION : patch your OS, and stop whining about so called 'bugs' in applications, you will never be able to completely patch the problem that way. PATCH Go to the Microsoft Knowledge Base @ http://search.support.microsoft.com/kb/c.asp And find the article with article ID Q256015 (titled Fatal Exception 0E with Multiple MS-DOS Device Names in Path) There you can find OS patches for Windows 95 and Windows 95 OEM Service Release 2 (OSR2) (http://download.microsoft.com/download/win95/Update/6467/W95/EN-US/256015USA5.EXE) & Windows 98 and Windows 98 Second Edition (http://download.microsoft.com/download/win98SE/Update/6467/W98/EN-US/256015USA8.EXE) ======================================================= [ByteRage] <byterageat_private> [www.byterage.cjb.net] ======================================================= __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 14:04:56 PDT