Improper Handling of Windows Device Names

Description

This vulnerability occurs when an application builds file paths from user input but fails to properly recognize or handle Windows reserved device names like AUX, CON, or COM1. Attackers can exploit this by submitting these special names, which typically causes the application to crash, hang, or leak sensitive information when it tries to access them as regular files.

Extended Description

Windows reserves certain filenames like AUX, CON, PRN, COM1, and LPT1 for internal device access. When an application accepts user-controlled input for filenames or paths without filtering these names, it may attempt to open a system device instead of a file. This often triggers unexpected errors, leading to application denial of service or revealing internal error details in logs or web responses. Beyond crashes, this flaw can bypass security filters. If an application's validation logic doesn't block these reserved names, an attacker might upload a malicious file disguised as a device name, or inject a device path into a URL parameter. This can disrupt file processing routines, expose stack traces or configuration data, and in some cases, be combined with other weaknesses to execute arbitrary commands.

Common Consequences 1

Scope: AvailabilityConfidentialityOther

Impact: DoS: Crash, Exit, or RestartRead Application DataOther

Potential Mitigations 1

Phase: Implementation

Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

Observed Examples 9

CVE-2002-0106Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.

CVE-2002-0200Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.

CVE-2002-1052Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.

CVE-2001-0493Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.

CVE-2001-0558Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.

CVE-2000-0168Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the "DOS Device in Path Name" vulnerability.

CVE-2001-0492Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.

CVE-2004-0552Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.

CVE-2005-2195Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.

References 2

Writing Secure Code

Michael Howard and David LeBlanc

Microsoft Press

04-12-2002

https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

ID: REF-7

The Art of Software Security Assessment

Mark Dowd, John McDonald, and Justin Schuh

Addison Wesley

2006

ID: REF-62

Likelihood of Exploit

High

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Operation

Functional Areas

File Processing

Affected Resources

File or Directory

Related Weaknesses

ChildOf:

Improper Handling of File Names that Identify Virtual Resources (CWE-66)

Taxonomy Mapping

PLOVER
CERT C Secure Coding
The CERT Oracle Secure Coding Standard for Java (2011)
Software Fault Patterns