CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.1)  
Search by ID:

CWE-67: Failure to Handle Windows Device Names

Individual Definition in a New Window
Failure to Handle Windows Device Names
Status: Incomplete
Weakness ID: 67 (Weakness Variant)
Description
Summary

The software constructs pathnames from user input, but it does not properly handle when the pathname contains a Windows device name such as AUX or CON. This typically leads to denial of service or an information leak when the application attempts to process the pathname as a regular file.

Extended Description

Failing to properly handle virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

Likelihood of Exploit

High to Very High

Weakness Ordinalities
Resultant (where the weakness is typically related to the presence of some other weaknesses)
Causal Nature
Explicit (an explicit weakness resulting from behavior of the developer)
Affected Resources
* File/Directory
Potential Mitigations

Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

Observed Examples
ReferenceDescription
 
 
 
 
 
 
 
 
 
Other Notes

Historically, there was a bug in the Windows operating system that caused a blue screen of death, but even after that issue was fixed, DOS device names continue to be a factor.

References
M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003.
Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness BaseWeakness Base66Failure to Handle File Names that Identify Virtual Resources
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory68Windows Virtual File Problems
Resource-specific Weaknesses631
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory743CERT C Secure Coding Section 09 - Input Output (FIO)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
Taxonomy Mappings
Mapped Taxonomy NameNode IDMapped Node Name
PLOVER Windows MS-DOS device names
CERT C Secure CodingFIO32-CDo not perform operations on devices that are only appropriate for files
Applicable Platforms
Languages
All
Operating Systems
Windows
Time of Introduction
* Architecture and Design
* Implementation
* Operation
Content History
Submissions
PLOVER. (Externally Mined)
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team. MITRE. 2008-10-14. (Internal)
updated Description
CWE Content Team. MITRE. 2008-11-24. (Internal)
updated Relationships, Taxonomy_Mappings
Previous Entry Names
* Windows MS-DOS Device Names (changed 2008-04-11)
Back to top
Page Last Updated: November 24, 2008
 

CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us