CWE-67: Improper Handling of Windows Device Names

VariantIncompleteExploit Likelihood: High

The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

View on MITRE
Back to CWE Lookup

Extended Description

Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A product that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Windows

Frequently Asked Questions

What is CWE-67: Improper Handling of Windows Device Names?+

CWE-67: Improper Handling of Windows Device Names is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file. Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A product that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

What are the security consequences of Improper Handling of Windows Device Names?+

If exploited, CWE-67 (Improper Handling of Windows Device Names) it can compromise Availability, Confidentiality and Other, leading to outcomes such as DoS: Crash, Exit, or Restart, Read Application Data and Other.

How do you prevent or mitigate Improper Handling of Windows Device Names?+

Recommended mitigations for CWE-67 include: Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

Which programming languages are affected by Improper Handling of Windows Device Names?+

CWE-67 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Improper Handling of Windows Device Names?+

MITRE documents real CVEs mapped to CWE-67, including CVE-2002-0106, CVE-2002-0200, CVE-2002-1052, CVE-2001-0493 and CVE-2001-0558. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-67 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More