Description
The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.
Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.
Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: High
Related Weaknesses
Consequences
Availability, Confidentiality, Other: DoS: Crash, Exit, or Restart, Read Application Data, Other
Potential Mitigations
Phase: Implementation
Description:
Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.
CVE References
- CVE-2002-0106
- Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
- CVE-2002-0200
- Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
- CVE-2002-1052
- Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.
- CVE-2001-0493
- Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.
- CVE-2001-0558
- Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.
- CVE-2000-0168
- Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the “DOS Device in Path Name” vulnerability.
- CVE-2001-0492
- Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.
- CVE-2004-0552
- Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.
- CVE-2005-2195
- Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.
More Stories
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to...
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect...
CWE-672 – Operation on a Resource after Expiration or Release
Description The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked....