File names on various many operating systems, including Windows and UNIX, may be used to access special files, which are actually devices. Sample reserved Reserved MS-DOS device names include AUX, CON, PRN, COM1, and LPT1. Device files on UNIX systems are used to apply access rights and to direct operations on the files to the appropriate device drivers.
...
| Wiki Markup |
|---|
Device files in UNIX can be a security risk when an attacker can access them in an unauthorized way. For instance, if attackers can read or write to the {{/dev/kmem}} device, they may be able to alter their priority, UID, or other attributes of their process or simply crash the system. Similarly, access to disk devices, tape devices, network devices, and terminals being used by othersother processes all can lead to problems \[[Garfinkel 96|AA. C References#Garfinkel 96]\]. |
...
| Code Block | ||
|---|---|---|
| ||
#ifdef O_NOFOLLOW
#define OPEN_FLAGS O_NOFOLLOW | O_NONBLOCK
#else
#define OPEN_FLAGS O_NONBLOCK
#endif
/* ... */
struct stat orig_st;
struct stat open_st;
int fd;
int flags;
char *file_name;
/* initialize file_name */
if (!fgets(file_name, sizeof(file_name), stdin)) {
/* Handle error */
}
if ((lstat(file_name, &orig_st) != 0)
|| (!S_ISREG(orig_st.st_mode)))
{
/* Handle error */
}
/* A TOCTOU race condition exists here, see below */
fd = open(file_name, OPEN_FLAGS | O_WRONLY);
if (fd == -1) {
/* Handle error */
}
if (fstat(fd, &open_st) != 0) {
/* Handle error */
}
if ((orig_st.st_mode != open_st.st_mode) ||
(orig_st.st_ino != open_st.st_ino) ||
(orig_st.st_dev != open_st.st_dev)) {
/* file was tampered with */
}
/* Optional: drop the O_NONBLOCK now that we are sure
* this is a good file */
if ((flags = fcntl(fd, F_GETFL)) == -1) {
/* Handle error */
}
if (fcntl(fd, F_SETFL, flags & ~O_NONBLOCK) != 0) {
/* Handle error */
}
/* Operate on file */
close(fd);
|
This code does contain contains an intractable TOCTOU race condition under which an attacker can alter the file referenced by file_name following the call to lstat() but before the call to open(). The switch will be discovered after the file is opened, but opening the file cannot be prevented in the case where this action itself causes undesired behavior.
...
| Code Block | ||
|---|---|---|
| ||
HANDLE hFile = CreateFile(
pFullPathName, 0, 0, NULL, OPEN_EXISTING, 0, NULL
);
if (hFile == INVALID_HANDLE_VALUE) {
/* Handle error */
}
else {
if (GetFileType(hFile) != FILE_TYPE_DISK) {
/* Handle error */
}
/* operate on file */
}
|
Risk Assessment
Allowing operations to be performed on devices that are only appropriate for files can result in denial-of-service attacks or more serious exploits depending on the platform.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO32-C | medium | unlikely | medium | P4 | L3 |
...