Windows MS-DOS Device Name DoS vulnerabilities

[ByteRage <byterage () yahoo com>]

Windows MS-DOS Device Name DoS vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AFFECTED SYSTEMS

Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 SE

DESCRIPTION

This post is some kind of reply to all previous posts
about win32 (server)applications filtering out MS-DOS
Device Names (DDNs) to prevent requests for files such
as \CON\CON from crashing the operating system. As
these vulnerabilities exist due to a very internal
operating system flaw (ring0 device drivers), I don't
think it is the application programmer's fault nor
their responsibility to provide filtering for a bug
where they don't know the exact cause or background
of. Because the flaw is within the operating system I
think it's obvious that the *operating system* itself
is patched, instead of rewriting the applications
running under it to have filtering... The reason for
this is simple : it creates a false feeling of
security. In alot of cases where applications have
filtering for these bugs, they don't filter every DDN
nor do they provide a *real* solution to the problem
(checking whether the requested path contains a DDN
using OS calls), as is the case with the OS patch.
Conclusion : applications should not filter out DDNs,
because they don't fix the problem (basically they
make it even worse), the OS patch is better because it
fixes *ALL* problems, and if it wouldn't then that's
where this discussion should be about.

To illustrate this problem, here's an uncomplete list
of some of the DDNs that I know of :

CON,AUX,NUL,PRN,LPT1,LPT2,LPT3,LPT4,LPT5,LPT6,LPT7,LPT8,LPT9,COM1,COM2,COM3,COM4,COM5,COM6,COM7,COM8,COM9,CLOCK$,CONFIG$,XMSXXXX0,$MMXXXX0,MSCD000,DBLBUFF$,EMMXXXX0,IFS$HLP$,SETVERXX,SCSIMGR$,DBLSBIN$,
MS$MOUSE, etc... etc...

(I'm pretty sure that you can find a shitload more by
typing MEM /DEBUG |MORE in a DOS window or doing some
research)

This list illustrates 3 things :
1) not every list of DDNs is complete
2) almost every computer has it's own drivers and
associated (vulnerable) DDNs
3) it is virtually impossible for applications to
block all DDNs

CONCLUSION : patch your OS, and stop whining about so
called 'bugs' in applications, you will never be able
to completely patch the problem that way.

PATCH

Go to the Microsoft Knowledge Base @
http://search.support.microsoft.com/kb/c.asp

And find the article with article ID Q256015
(titled Fatal Exception 0E with Multiple MS-DOS Device
Names in Path)

There you can find OS patches for Windows 95 and
Windows 95 OEM Service Release 2 (OSR2)
(http://download.microsoft.com/download/win95/Update/6467/W95/EN-US/256015USA5.EXE)
&
Windows 98 and Windows 98 Second Edition
(http://download.microsoft.com/download/win98SE/Update/6467/W98/EN-US/256015USA8.EXE)

=======================================================
[ByteRage] <byterage () yahoo com> [www.byterage.cjb.net]
=======================================================

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/