Date: Wed, 18 Jul 2001 06:00:16 +0900
From: Ishikawa <ishikawa@yk.rim.or.jp>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Subject: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities)
While we can bash MS-Windows
due to the problems mentioned,
we should not forget that a famous browser client on
Linux is similarly guilty.
I tried the following URLs with
my netscape browser under Linux.
file:///dev/null
returns immediately saying there is no data. Good.
file:///dev/zero
doesn't crash the browser nor OS, but it sucks CPU time
nevertheless since it tries to read the data forever until
I pushed the stop button.
The next is a showstopper.
The problem URL that caused the hung of browser,
at least, on my PC is the following.
file:///dev/pty0
This locked my netscape navigator solid.
I had to kill it using kill command from another
xterm window. X didn't get hung, etc..
Since trying other devices may cause more severe problems
I stopped testing here.
So, at least the netscape navigator client
seems to have similar problems discussed, and
I have no idea if there is a clear-cut cure for this.
(My guess is that any OS that makes devices
available as part of filesystem have some problems in
this regard if the devices in questins are accessible by
the user/web account.)
If someone wants to be nasty, he/she can
create a web page with
URLs inside <IMG SRC="these device files" ....>
listing DOS devices as well as these popular UNIX devices.
As someone mentioned, we can't predict what other
device files may show up in the future by addition of
new hardware drivers.
One may be tempted to block all the files below /dev inside
the browser/servers.
Could this be a cure for this problem under linux/UNIX?
(Yes, I know we can have devices under different places.
But I am not sure if the devices under non-stanard places
can be used for DoS attacks in the browser context
I mentioned above.)
Linux version.
Linux duron 2.4.6 #27 Wed Jul 11 05:08:01 JST 2001 i686 unknown
Netscape is 4.77.
