[21638] in bugtraq
Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities)
daemon@ATHENA.MIT.EDU (Richard Kettlewell)
Thu Jul 19 12:40:21 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <84d76yyqzx.fsf@rjk.greenend.org.uk>
Date: Wed, 18 Jul 2001 20:30:26 +0100 (BST)
From: Richard Kettlewell <rjk+news@sfere.greenend.org.uk>
Mail-Copies-To: nobody
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
In-Reply-To: <3B54A760.FEFB9844@yk.rim.or.jp>
Ishikawa <ishikawa@yk.rim.or.jp> writes:
> One may be tempted to block all the files below /dev inside
> the browser/servers.
If I ask my currently running web browser to open
file:/proc/self/fd/3, it gets /dev/zero, and starts burning CPU and
disc (until it runs out).
There's some pipes in there too, which presumably have internal
significance to the executing program; if I'd started it from a
terminal there'd be some FDs onto that. I'm sure there are all sorts
of possibilities for disruption.
Special files outside /dev constitute as much of a risk as the
contents of /dev.
> Could this be a cure for this problem under linux/UNIX?
> (Yes, I know we can have devices under different places.
> But I am not sure if the devices under non-stanard places
> can be used for DoS attacks in the browser context
> I mentioned above.)
A better answer might be to stat the file, and reject it if it not a
regular file. Another approach would be to forbid inlining "file:"
URLs from external pages, as described at
http://bugzilla.mozilla.org/show_bug.cgi?id=91316
ttfn/rjk
