CWE-67 - Improper Handling of Windows Device Names

Read Time:2 Minute, 22 Second

Description

The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

Related Weaknesses

CWE-66

Consequences

Availability, Confidentiality, Other: DoS: Crash, Exit, or Restart, Read Application Data, Other

Potential Mitigations

Phase: Implementation

Description:

Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

CVE References

CVE-2002-0106
- Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.

CVE-2002-0200
- Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.

CVE-2002-1052
- Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.

CVE-2001-0493
- Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.

CVE-2001-0558
- Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.

CVE-2000-0168
- Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the “DOS Device in Path Name” vulnerability.

CVE-2001-0492
- Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.

CVE-2004-0552
- Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.

CVE-2005-2195
- Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.

InCVE-2002-0106, CWE- 67, Improper Handling of Windows Device Names

Cyber Security News

Alarming Decline in Cybersecurity Job Postings in the US

Akira Ransomware Group Rakes in $42m, 250 Organizations Impacted

Quishing Attacks Jump Tenfold, Attachment Payloads Halve

Russia’s Sandworm Upgraded to APT44 by Google’s Mandiant

New Cyber-Threat MadMxShell Exploits Typosquatting and Google Ads

Change Healthcare data for sale on dark web as fallout from ransomware attack spirals out of control

3.5 million Omni Hotel guest details held to ransom by Daixin Team

Police smash LabHost international fraud network, 37 arrested

US Election Officials Told to Prepare for Nation-State Influence Campaigns

CWE-67 – Improper Handling of Windows Device Names

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security

CWE-672 – Operation on a Resource after Expiration or Release