Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: David LeBlanc (dleblancmindspring.com)
Date: Mon Jul 16 2001 - 14:26:09 CDT
> -----Original Message-----
> From: Martin Werner [mailto:bugtraqmartinwerner.de]
> Sent: Monday, July 16, 2001 3:31 AM
> To: BUGTRAQSECURITYFOCUS.COM
> Subject: AW: Windows MS-DOS Device Name DoS vulnerabilities
> Just want to give a new thought.
> Fact is, that on the one hand side, its merely impossible to
> write an safe
> ftp server using Microsofts Filesystem, because device names can cause
> trouble (and I think, this is not a bug, but it's been discussed)
I beg to differ. First, let's distinguish between file systems. If you say
that it wouldn't be advisable to write a FTP server designed to run on FAT
file systems, then I'd be inclined to agree. You can, OTOH, do a lot of work
to re-implement file system security sufficient for a FTP server and be OK.
Now, on to the issue with device names - this isn't all that terribly
difficult, and is part of proper file canonicalization practices. A call to
CreateFile() on a device name will always succeed (or possibly blow up an
unpatched Win9x system, so go get the patch or consider running your FTP
server on NT or Win2k). Next, a call to GetFileInformationByHandle() will
always fail if it is a device. GetFileType() can also be used to determine
whether something is a device.