CWE-67
Improper Handling of Windows Device Names
High
Incomplete
2006-07-19
00h00 +00:00
00h00 +00:00
2023-06-29
00h00 +00:00
00h00 +00:00
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Name: Improper Handling of Windows Device Names
The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.
CWE Description
Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A product that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.
General Informations
Background Details
Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor.Modes Of Introduction
ImplementationOperation
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)Operating Systems
Class: Windows (Undetermined)Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Availability Confidentiality Other | DoS: Crash, Exit, or Restart, Read Application Data, Other |
Observed Examples
| References | Description |
|---|---|
CVE-2002-0106 | Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name. |
CVE-2002-0200 | Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name. |
CVE-2002-1052 | Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server. |
CVE-2001-0493 | Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name. |
CVE-2001-0558 | Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name. |
CVE-2000-0168 | Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the "DOS Device in Path Name" vulnerability. |
CVE-2001-0492 | Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names. |
CVE-2004-0552 | Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed. |
CVE-2005-2195 | Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name. |
Potential Mitigations
Phases : ImplementationBe familiar with the device names in the operating system where your system is deployed. Check input for these device names.
Vulnerability Mapping Notes
Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
References
REF-7
Writing Secure CodeMichael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
REF-62
The Art of Software Security AssessmentMark Dowd, John McDonald, Justin Schuh.
Submission
| Name | Organization | Date | Date release | Version |
|---|---|---|---|---|
| PLOVER | Draft 3 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Description, Name | |
| CWE Content Team | MITRE | updated Background_Details, Other_Notes | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Observed_Examples, References, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Affected_Resources, Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Mapping_Notes |
