Re: Windows MS-DOS Device Name DoS vulnerabilities

From: Ewen McNeill (ewenat_private)
Date: Sat Jul 07 2001 - 14:57:57 PDT

Next message: Darren Reed: "Re: Small TCP packets == very large overhead == DoS?"

Previous message: shimi: "Re: Nokia contact information"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <20010707085436.70904.qmailat_private>, ByteRage writes:
>Unfortunately, QueryDosDevice is not supported on some
>flavours of windows. As stated on the Xitami Web
>Server Support Mailing List
>(http://xitami.ec-computers.net/2001/Apr/Msgs/l2w02603.html)
>
>[..... quoting a message that I wrote on the Xitami users mailing list .....]
>
>"As a result, I've rewritten the system_devicename()
>detection routine that Xitami uses, to take a more
>pragmatic approach:  [try QueryDosDevice(), then try fixed path names]
>[.....]"
>cfr http://www.imatix.co.nz/test/testwindev.c

Readers should note that this was an experiment with trying to make better
use of QueryDosDevice(), which didn't pan out.  As per my earlier post
to Bugtraq even this approach was not sufficient.  (Reading through the
Xitami list archives at the above website (through mid-May), and then
later at http://lists.xitami.org./pipermail/xitami/  (mid-May onwards)
gives more detail; the archives will be consolidated when we get time.)

In the end I concluded QueryDosDevice() simply was not suitable for
the purpose of determining whether a pathname would access a device or
not (due to unportability amongst various Win32 versions, inaccuracy on
various platforms (both false positives and false negatives), differences
in what it returned and what opening devices accepted, and the need to
test each portion of the path individually including doing processing
to strip off extensions, etc).

The eventual solution we went with is in the src/sfl/sflfile.c file in
Xitami 2.4d9 (release) and Xitami 2.5b5 (beta test); the source for both
is available from http://www.xitami.com/  Essentially we open the file
with the Windows API first, check that it is disk file (and fail the
open if it isn't), then reopen it with the unix-style interface wanted
by the rest of the software.  (Obviously this depends on having the OS
fix so that merely opening a device with the wrong path doesn't cause
the OS to crash.)

The eventual solution is a horrible kludge, but the 20+ year legacy
of devices being accessed through magic names that appear in every
directory is also a horrible kludge.  It was a somewhat cute trick when
I encountered it in CP/M, and understandable that it was in MS-DOS 1.0
given its heritage, but it really should never have been allowed to
persist 20 years later.

Ewen

-- 
Ewen McNeill, Technical Consultant, iMatix Corporation  www.imatix.com

Next message: Darren Reed: "Re: Small TCP packets == very large overhead == DoS?"
Previous message: shimi: "Re: Nokia contact information"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 09:53:29 PDT