Re: Windows MS-DOS Device Name DoS vulnerabilities

From: Dennis Jenkins (djenkinsat_private)
Date: Mon Jul 09 2001 - 07:08:38 PDT

Next message: Dennis Jenkins: "Re: Windows MS-DOS Device Name DoS vulnerabilities"

Previous message: Paul Marshall: "Re: Cobalt Cube Webmail directory traversal"
In reply to: Pavel Kankovsky: "Re: Windows MS-DOS Device Name DoS vulnerabilities"
Next in thread: Martin Werner: "AW: Windows MS-DOS Device Name DoS vulnerabilities"
Next in thread: richardcaat_private: "Windows MS-DOS Device Name DoS vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pavel Kankovsky wrote:
> 
> On Fri, 6 Jul 2001, 3APA3A wrote:
> 
> > ... and the problem is definitely in software, not in operation
> > system, because operation system behaves exactly as expected and
> > documented.
> 
> But it is still OS's problem when the specification / documentation it
> conforms to is braindead. Adding implicit entries for devices into EVERY
> directory is definitely braindead.
> 
> BTW: What will happen when Joe Luser creates a file called XYZ on day 1,
> installs a device driver called XYZ--adding XYZ to the list of magical
> filenames--on day 2, and tries to access XYZ on day 3? Inquiring minds
> want to know...

	He will access the device.  This is documented in the book
"Undocumented Dos" (author, editor, press I don't remember).  In the
early days of DOS, there was a reason why this was done.  But I don't
remember that either.  I should probably dig out my copy of this book...

	"Scandisk" and similar tools will rename the file (using God knows what
API) if they come across it during a scan.  


> > if( GetFileType(hFile) != FILE_TYPE_DISK ) {
> >      lstrcpy( lpszPath, TEXT("Invalid File Type") );
> >      return( 0 );
> >   }
> [...]
> > Checks  like  this  must be in "best coding practice", because even if
> > security  is  not  in question user can specify special device name by
> > accident.
> 
> Unfortunately, a user can specify such a name deliberately in order to do
> something meaningful (e.g. the old good "copy con filename"). Adding such
> a check to programs interpreting filenames given by an untrusted party is
> probably a good idea (both on MS Windows and unix-like OSes) but it is a
> more a desperate attempt to circumvent the lack of a better mechanism than
> "the best coding practice."
> 
> BTW2: GetFileType() seems to take a handle as its argument, i.e. the
> caller must already have called OpenFile() in order to be able to use
> it--and call CloseFile() (CloseHandle()?) afterwards. Are OpenFile() and
> CloseFile() guaranteed to be free of dangerous side effects?
> 
> --Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
> "Resistance is futile. Open your source code and prepare for assimilation."

-- 
djenkinsat_private                           Universal Savings Bank.
Security Administrator, Unix Administrator, Alpha Geek

The three most dangerous things are a programmer with a soldering
iron, a manager who codes, and a user who gets ideas.

Next message: Dennis Jenkins: "Re: Windows MS-DOS Device Name DoS vulnerabilities"
Previous message: Paul Marshall: "Re: Cobalt Cube Webmail directory traversal"
In reply to: Pavel Kankovsky: "Re: Windows MS-DOS Device Name DoS vulnerabilities"
Next in thread: Martin Werner: "AW: Windows MS-DOS Device Name DoS vulnerabilities"
Next in thread: richardcaat_private: "Windows MS-DOS Device Name DoS vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 10:37:48 PDT