logo

Improper Handling of Windows Device Names

Incomplete Variant
Structure: Simple
Description

The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

Extended Description

Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A product that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.
Common Consequences 1
Scope: AvailabilityConfidentialityOther

Impact: DoS: Crash, Exit, or RestartRead Application DataOther
Potential Mitigations 1
Phase: Implementation
Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.
Observed Examples 9
CVE-2002-0106Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
CVE-2002-0200Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
CVE-2002-1052Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.
CVE-2001-0493Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.
CVE-2001-0558Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.
CVE-2000-0168Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the "DOS Device in Path Name" vulnerability.
CVE-2001-0492Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.
CVE-2004-0552Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.
CVE-2005-2195Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.
References 2
Writing Secure Code
Michael Howard and David LeBlanc
Microsoft Press
04-12-2002
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
ID: REF-7
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Likelihood of Exploit

High

Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Operation
Functional Areas
  1. File Processing
Affected Resources
  1. File or Directory
Related Weaknesses
ChildOf: Improper Handling of File Names that Identify Virtual Resources (CWE-66)
Taxonomy Mapping
  • PLOVER
  • CERT C Secure Coding
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • Software Fault Patterns