Re: SurgeFTP vulnerabilities

[Alun Jones <alun () texis com>]

At 03:08 AM 6/19/2001, you wrote:
> Issue:
> 2.) FTP allows anybody to DOS the machine with a well known con/con attack.
>
> Exploit:
> 2.) Connect to the server with anonymous and type cd con/con (yes, this is
> well know and works with MANY other too, but we think it should be
> filtered).

While filtering such a command line may be a worthy suggestion, and is 
certainly implemented in our own software, it is far from a perfect (or 
even appropriate) solution.

CON/CON is easy to avoid - you just filter on CON/CON.  But then you also 
have to consider _every_ other DOS device name (MS calls them DDNs, in KB 
articles that reference them) that is, or could be, on your 
system.  CLOCK$, for instance, can be used instead of CON, as can AUX, PRN, 
LPT1-9, etc, etc.  Okay, you say, so you filter the standard DDNs 
out.  Then you have to worry about non-standard, but possibly popular DDNs.

There is no system call (that I could find after several days of searching) 
that will enumerate the available DDNs, and there appears to be no interest 
in generating a patch that will prevent this DDN\DDN blue-screen 
error.  The only option available to developers is to filter on as many 
known DDNs as possible, and allow the user to extend that filter as and 
when necessary.  This, of course, requires a substantially educated user, 
which is almost always the weakest possible means of securing a system.

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun () texis com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.