Bugtraq mailing list archives
Re[2]: Windows MS-DOS Device Name DoS vulnerabilities
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Sat, 7 Jul 2001 16:16:46 +0400
Hello Alun, I'm not right writing I _completely_ disagree. In fact I disagree with conclusion of original message: -=-=-=-=-=- CONCLUSION : patch your OS, and stop whining about so called 'bugs' in applications, you will never be able to completely patch the problem that way. -=-=-=-=- I'd like to change this to: CONCLUSION : patch your OS and applications which do not check for special devices. I think you catch the difference. Sure, if application does check type of the file, but system crashes before - it's only OS problem. BUT: Most of latest DOS device holes discussed on Bugtraq (for example few holes in ASP.DLL) HAVE NO RELATION to Windows 95/98/ME bug. It's application bug. I know my English is far for being perfect. Let me illustrate my opinion. Imagine you have vulnerable application (A) which saves user supplied file with user supplied name (FTP server, for example) without any check for file type. You use this server in 2 different installations: I1: Unpatched Windows 98 (with "blue screen" bug) I2: Windows NT 4.0 (it doesn't have this bug) Someone is trying to save file with name com1. In case of I1 you'll get "blue screen". It's not right! Yes! System MUST be patched! But in case of I2 this file will be successfully dumped to your modem... Do you need new firmware? :)) If WFTPD is safe - nice for you, but have you tested different software? I did. I didn't tested ftp servers and not going to, cause I needn't ftp server under Windows. I check for bugs software I'm working with. Results are very sad. AJ> The person quoted here doesn't indicate whether it is merely opening the AJ> device files, or trying to access (read or write) their contents, is what AJ> will "wedge the DOS box" - if the former, then GetFileType is sadly of no AJ> assistance. In fact, he did, because we discussed some concrete kind of software. This was said about writing of special devices. But reading of some devices can probably lead to DoS too (at least it can increase processor or disk usage for huge period of time). --Friday, July 06, 2001, 10:00:35 PM, you wrote to 3APA3A () SECURITY NNOV RU: AJ> At 04:46 AM 7/6/2001, 3APA3A wrote:
I completely disagree with your paper. It puts software developers and users into false sense of security. Right now SECURITY.NNOV is working out few MS-DOS Device Name issues with vendors (not only in Windows 95/98/ME but also in NT/2000), and the problem is definitely in software, not in operation system, because operation system behaves exactly as expected and documented. Later we will publish our advisory. Software MUST check type of file it tries to access BEFORE it access it, if this can cause access to special device. Special devices under Windows allow raw access to ports, drives, tapes, etc and impact of such access can be same with impact of accessing /dev under unix.
AJ> The hole that ByteRage discussed was most _definitely_ a flaw in system AJ> security, wherein merely trying to open a file with a path name that AJ> contained two DDNs would cause a BSoD. Your suggested workaround of AJ> GetFileType() requires a handle to an open file, which you cannot get AJ> without (tada!) opening the file, which itself would have caused the crash.
MS patched one hole, which causes Windows 95/98/ME to crash then some API call refer to any special device. This patch doesn't solve problem of special devices, because _successful_ access to such devices under Windows can lead to much greater impact.
AJ> This is a second issue with device names, and is not touched on by AJ> ByteRage's initial posting in this thread. You aren't disagreeing with AJ> ByteRage, you're posting something additional that just happens to share AJ> the detail of access to devices through file-like paths.
Also, enumeration of special device names is bad idea. New versions of Windows can introduce new devices. Eugene Roshal (http://www.rarsoft.com), developer of well-known utilities Far and Rar, recommends use of GetFileType() API. In MS source examples you can find a lot of:
AJ> Enumeration of special devices, by an API, would be most useful, because AJ> then an application could prohibit access to device names _prior_ to having AJ> to open the file. Should there be future bugs discovered in opening device AJ> specifiers, it'd be nice to be able to say "filter all input paths and AJ> remove any specification that matches a device name". Currently, there is AJ> no API to do this.
According to Mr. Roshal FILE_TYPE_CHAR and FILE_TYPE_PIPE probably refer to special device names.
AJ> According to the documentation: AJ> FILE_TYPE_UNKNOWN - The type of the specified file is unknown. AJ> FILE_TYPE_DISK - The specified file is a disk file. AJ> FILE_TYPE_CHAR - The specified file is a character file, typically an LPT AJ> device or a console. AJ> FILE_TYPE_PIPE - The specified file is either a named or anonymous pipe.
Also, `prn' and `lpt1' are just a sample of the special names. Any device driver which can be reached by opening a special file name will cause such problems; thus the list of the offending names cannot be known in advance, since additional device drivers can be installed on the target system.
AJ> A list compiled programmatically at the start of operation would be AJ> somewhat more useful. While it's true that additional device drivers can AJ> be installed while a program is running, I wonder if these are given DDNs?
In addition, the file-name extension is ignored when the basename matches. So `aux.lst', `prn.c', `con.foo', and an infinite number of other similar names--all of them are prone to this problem. Some of the devices will actually wedge the DOS box ... kids, don't try that at home!
AJ> The person quoted here doesn't indicate whether it is merely opening the AJ> device files, or trying to access (read or write) their contents, is what AJ> will "wedge the DOS box" - if the former, then GetFileType is sadly of no AJ> assistance. AJ> Alun. AJ> ~~~~ AJ> -- AJ> Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at AJ> 1602 Harvest Moon Place | http://www.wftpd.com or email alun () texis com AJ> Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to AJ> Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT. -- ~/3APA3A ЭНИАКам - по морде! (Лем)
Current thread:
- Windows MS-DOS Device Name DoS vulnerabilities ByteRage (Jul 05)
- Re: Windows MS-DOS Device Name DoS vulnerabilities 3APA3A (Jul 06)
- Re: Windows MS-DOS Device Name DoS vulnerabilities ByteRage (Jul 06)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Michael Poole (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Alun Jones (Jul 07)
- Re[2]: Windows MS-DOS Device Name DoS vulnerabilities 3APA3A (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Pavel Kankovsky (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Dennis Jenkins (Jul 09)
- AW: Windows MS-DOS Device Name DoS vulnerabilities Martin Werner (Jul 16)
- RE: Windows MS-DOS Device Name DoS vulnerabilities David LeBlanc (Jul 16)
- Re: Windows MS-DOS Device Name DoS vulnerabilities 3APA3A (Jul 06)
- <Possible follow-ups>
- Windows MS-DOS Device Name DoS vulnerabilities richardca (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities ByteRage (Jul 07)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Ewen McNeill (Jul 09)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Dennis Jenkins (Jul 09)
- Re: Windows MS-DOS Device Name DoS vulnerabilities Peter Gutmann (Jul 10)