Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Wall, Kevin (Kevin.Wallqwest.com)
Date: Mon Dec 10 2001 - 12:55:14 CST
Michael Howard writes...
> it's not just ms-dos device names - there's /dev/XXXX on
> unix/linux also.
> > Steven M. Christey writes...
> > David Wong said:
> > >I propose we get together a list of problem that we
> > can fit into
> > >"atoms".
> > >
> > >[snip]
> > >3. Path problems
> > > - Parent paths (../../)
> > You might want to add MS-DOS device names to this list.
> > The end result generally seems to be a denial of service.
I beg to differ with Michael Howard's assessment that
Unix/Linux device names also need to be considered as a
*special* case similar to the way I think that MS-DOS device
names ought to be considered.
I think there's a difference here between Unix/Linux
device names and MS-DOS device names. IIRC, the latter
can appear anywhere, without regard to any path name (e.g.,
'type filename > nul', etc.) The former *nix device names
will almost always be in /dev, and should NEVER
be under document root. (In my experience, this is
at least true in 99.999% of the time. The sole
exceptions being either when a clueless SA creates
a device file itself or [symbolic] link to one outside
of /dev or some when cracker has already compromised
the system and has left a device file or link to one
somewhere else to access as a back-door.)
Thus, for *nix, if one assumes that:
1) all *nix device files are appropriately
located ONLY under /dev;
2) the web server's document root is NOT
3) there are no links (symbolic or otherwise)
that allow access to either the /dev directory
or any of the device files,
then whether or not a *nix device file can be exploited
via the web server is EQUIVALENT TO whether the web
server will inappropriately allow one to "escape" from
the web server's document root (via the ../.. etc.
shenanigans) to get to /dev. (And clearly it should not.)
But the point is, I don't think this needs to be considered
as a separate case under *nix.
Because DOS device names may appear anywhere (that is,
they are not rooted in some particular directory), they
SHOULD be considered as a special case, since they effectively
CAN APPEAR under the web server's document root (at least if
the web server or OS doesn't specifically prohibit it).
Now I'll grant that perhaps this doesn't pertain to more
advanced file systems like NTFS, but (and I'm not an expert
here, so flame me if I'm wrong ;-) I think this issue of
MS-DOS device names would have to pertain to FAT16/FAT32
based file systems on at least some operating systems.
I should think that on such systems, the web servers would
need to account for these device files as a special case.
(But I would hope that web applications wouldn't have to
try to accomodate for all these special cases.)
Of course, I don't think web server's should be placed on
FAT type file systems, but it sadly seems that many are.
--- Kevin W. Wall Qwest Communications International, Inc. Kevin.Wallqwest.com Phone: 614.932.5542 "Wipe Info uses hexadecimal values to wipe files. This provides more security than wiping with decimal values." -- Norton System Works 2002 manual, pg 160