File names on many operating systems, including Windows and UNIX, may be used to access special files, which are actually devices. Reserved Microsoft Windows device names include AUX, CON, PRN, COM1, and LPT1 or paths using the \\.\ device namespace. Device files on UNIX systems are used to apply access rights and to direct operations on the files to the appropriate device drivers.
...
A Web browser that failed to check for these devices would allow an attacker to create a website with image tags such as <IMG src="file:///dev/mouse"> that would lock the user's mousemouse [Howard 2002].
Noncompliant Code Example
...
When available (Linux 2.1.126+, FreeBSD, Solaris 10, POSIX.1-2008), the O_NOFOLLOW flag should also be used. (see See POS01-C. Check for the existence of links when dealing with files.) . When O_NOFOLLOW is not available, symbolic link checks should use the method from POS35-C. Avoid race conditions while checking for the existence of a symbolic link.
...
This code contains an intractable TOCTOU (time-of-check, time-of-use) race condition under which an attacker can alter the file referenced by file_name following the call to lstat() but before the call to open(). The switch will be discovered after the file is opened, but opening the file cannot be prevented in the case where this action itself causes undesired behavior. (see See FIO45-C. Avoid TOCTOU race conditions while accessing files for more information about TOCTOU race conditions.).
Essentially, an attacker can switch out a file for one of the file types shown in the following table with the specified effect.
File Types and Effects
Type | Note on Effect |
|---|---|
Another regular file | The |
FIFO | Either |
Symbolic link |
|
Special device | Usually the |
To be compliant with this rule and to prevent this TOCTOU race condition, file_name must refer to a file in a secure directory. (see See FIO15-C. Ensure that file operations are performed in a secure directory.).
Noncompliant Code Example (Windows)
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <ctype.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
static bool isReservedName(const char *path) {
/* This list of reserved names comes from MSDN */
static const char *reserved[] = {
"nul", "con", "prn", "aux", "com1", "com2", "com3",
"com4", "com5", "com6", "com7", "com8", "com9",
"lpt1", "lpt2", "lpt3", "lpt4", "lpt5", "lpt6",
"lpt7", "lpt8", "lpt9"
};
bool ret = false;
/*
* First, check to see if this is a device namespace, which
* always starts with \\.\, because device namespaces are not
* valid file paths.
*/
if (!path || 0 == strncmp(path, "\\\\.\\", 4)) {
return true;
}
/* Compare against the list of ancient reserved names */
for (size_t i = 0; !ret &&
i < sizeof(reserved) / sizeof(*reserved); ++i) {
/*
* Because Windows uses a case-insensitive file system, operate on
* a lowercase version of the given filename. Note: This ignores
* globalization issues and assumes ASCII characters.
*/
if (0 == _stricmp(path, reserved[i])) {
ret = true;
}
}
return ret;
} |
Exceptions
FIO32-C-EX1: These checks are intended for opening files specified by a user (or an untrusted source). Intentionally opening device files does not violate this rule.
Risk Assessment
Allowing operations that are appropriate only for regular files to be performed on devices can result in denial-of-service attacks or more serious exploits depending on the platform.
Rule | Severity | Likelihood |
|---|
Detectable | Repairable | Priority | Level |
|---|---|---|---|
FIO32-C | Medium | Unlikely | No |
No |
P2 | L3 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
| Compass/ROSE |
Could detect some violations of this rule. This rule applies only to untrusted file name strings, and ROSE cannot tell which strings are trusted and which are not. The best heuristic is to note if there is any verification of the file name before or after the |
5.0
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
| Cppcheck Premium |
| premium-cert-fio32-c | |||||||
| Helix QAC |
| DF4921, DF4922, DF4923 | |||||||
| Parasoft C/C++test |
| CERT_C-FIO32-a | Protect against file name injection | ||||||
| Polyspace Bug Finder |
| CERT C: Rule FIO32-C | Checks for inappropriate I/O operation on device files (rule fully covered) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | FIO05-C. Identify files using multiple file attributes | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C Secure Coding Standard |
| FIO15-C. Ensure that file operations are performed in a secure directory | Prior to 2018-01-12: CERT: Unspecified Relationship | |
| CERT C Secure Coding Standard | POS01-C. Check for the existence of links when dealing with files | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C Secure Coding Standard | POS35-C. Avoid race conditions while checking for the existence of |
| a symbolic link | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT Oracle Secure Coding Standard for Java | FIO00-J. Do not operate on files in |
| shared directories | Prior to 2018-01-12: CERT: Unspecified Relationship |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-67 and FIO32-C
FIO32-C = Union( CWE-67, list) where list =
- Treating trusted device names like regular files in Windows.
- Treating device names (both trusted and untrusted) like regular files in POSIX
Bibliography
| [Garfinkel 1996] | Section 5.6, "Device Files" |
| [Howard 2002] | Chapter 11, "Canonical Representation Issues" |
| [IEEE Std 1003.1:2013] | XSH, System Interfaces, open |
| [MSDN] |
...
...