Re: SurgeFTP vulnerabilities

[Ewen McNeill <ewen () imatix com>]

In message <4.3.2.7.2.20010625093714.02218ef0 () mail io com>, Alun Jones writes:
> At 03:08 AM 6/19/2001, you wrote:
> > 2.) Connect to the server with anonymous and type cd con/con (yes, this is
> > well know and works with MANY other too, but we think it should be
> > filtered).
>
> While filtering such a command line may be a worthy suggestion, and is 
> certainly implemented in our own software, it is far from a perfect (or 
> even appropriate) solution.  [but many possible combinations, and non
> standard device names]
>
> There is no system call (that I could find after several days of searching) 
> that will enumerate the available DDNs, 

QueryDosDevice() will return a list of devices.  But it's not terribly
helpful because (a) it only works on Windows NT/2000 (and a little bit
under Windows 95/98/ME, but not very reliably, giving many false positives
and false negatives), and (b) there are many varitions on device names
that are accepted, but will not appear in the list of devices returned
(presumably this is a bounded list, but I couldn't find it documented, and
gave up trying to enumerate it).

> The only option available to developers is to filter on as many 
> known DDNs as possible, and allow the user to extend that filter as and 
> when necessary.  This, of course, requires a substantially educated user, 
> which is almost always the weakest possible means of securing a system.

What I ended up doing for Xitami (an open source program that iMatix
maintains: http://www.xitami.com./) was using a different Windows
system call: GetFileType().  You feed it a Windows file handle (from
CreateFile()), and it tells you what type of thing the file handle
points at (disk file, device, etc).  This appears to work reliably on
all versions of Windows, but it means you have to use CreateFile() to
get your file handles (or open the file twice: we open the file twice,
because we want unix-style file handles in the rest of the software).

The solution isn't especially elegant.  However when faced with a file
hierachy where an arbitrary set of names in any directory are "booby
trapped" (device names), and it's nearly imposible to determine this
set in advance in any portable manner, and the end user has basically
no control over the set of names that are special (cf unix device inodes
where the user can choose where they appear in the directory hierachy),
one is forced to resort to inelegant solutions.

If you're curious to see the code we used, it is in the
src/sfl/sflfile.c file, in the Xitami 2.4d9 and Xitami 2.5b5 source
packages (available from the Xitami website above).  This is what we
developed after the Bugtraq device/device report we were faced with; our
previous combination of QueryDosDevice() and "filter known combinations"
clearly wasn't sufficient.

Ewen

-- 
Ewen McNeill, Technical Consultant, iMatix Corporation  www.imatix.com