Bypassing the Napster filters is my favorite canonicalization bug because it’s so nontechnical. Unless you were living under a rock in early 2001, you’ll know that Napster was a music-swapping service that was taken to court by the Recording Industry Association of America (RIAA), which viewed the service as piracy. A U.S. federal judge ordered Napster to block access to certain songs, which Napster did. However, this song-blocking was based on the name of the song, and it wasn’t long before people realized how to bypass the Napster filters: simply by giving the song a name that resembles the song title but that is not picked up by the filters. For example, using the music of Siouxsie and the Banshees as an example, I might rename "Candyman" as "AndymanCay" (the pig latin version), "92 degrees" as "92 degree$," and "Deepest Chill" as "Deepest Chi11." This is a disclosure vulnerability because it gives access to files to users who should not have access. In this case, Napster’s lack of a secure canonicalization method for filenames made it difficult to enforce a court-mandated security policy.

You can read more about this issue at http://news.cnet.com/news/0-1005-200-5042145.html.

The version of the Apache Web server that shipped with the first release of Apple’s Mac OS X operating system contains a security flaw when Apple’s Hierarchical File System Plus (HFS+) is used. HFS+ is a case-insensitive file system, and this foils Apache’s directory-protection mechanisms, which use text-based configuration files to determine which data to protect and how to protect it.

For example, the administrator might decide to protect a directory named scripts with the following configuration file to prevent scripts from being accessed by anyone:

<Location /scripts>
    order deny, allow
    deny from all
</Location> 

A normal user attempting to access http://www.northwindtraders.com/scripts/index.html will be disallowed access. However, an attacker can enter http://www.northwindtraders.com/SCRIPTS/index.html, and access to Index.html will be allowed.

The vulnerability exists because HFS+ is case-insensitive, but the version of Apache shipped with Mac OS X is case-sensitive. So, to Apache, SCRIPTS is not the same as scripts, and the configuration script has no effect. But to HFS+, SCRIPTS is the same as scripts, so the "protected" index.html file is fetched and sent to the attacker.

You can read more about this security flaw at http://www.securityfocus.com/archive/1/190036.

As you might know, some filenames in MS-DOS spilled over into Windows for backward-compatibility reasons. These items are not really files; rather, they are devices. Examples include the default serial port (aux) and printer (lpt1 and prn). In this vulnerability, the attacker forces Windows 95 and Windows 98 to access the device. When Windows attempts to interpret the device name as a file resource, it performs an illegal resource access that usually results in a crash.

You can learn more about this vulnerability at http://www.microsoft.com/technet/security/bulletin/MS00-017.asp.

I added this vulnerability because symbolic-link vulnerabilities are extremely common in UNIX and Linux. A symbolic link (symlink) is a file that only points to another file; therefore, it can be considered another name for a file. UNIX also has the hard-link file type, which is a file that is semantically equivalent to the one it points to. Hard links share access rights with the file they point to, whereas symlinks do not share those rights.

For example, /tmp/frodo, a symlink in the temporary directory, might point to the UNIX password file /etc/passwd or to some other sensitive file.

On startup, Sun’s StarOffice creates an object named /tmp/soffice.tmp. This object can be used by anyone for nearly any purpose. In UNIX parlance, the access mask is 0777, which is just as bad as Everyone (Full Control). An attacker can create a symlink from /tmp/soffice.tmp to a user’s file. When that user then runs StarOffice, StarOffice blindly changes the permission settings on that file (because setting permissions on a symlink sets the permissions of the target, if the process has permission to make that change). Once this is done, the attacker can read the file.

If the attacker linked /tmp/soffice.tmp to /etc/passwd and someone ran StarOffice as the UNIX administrator, the permissions on /etc/passwd would get changed. Learn more about this bug at http://www.securityfocus.com/bid/1922.

Almost all of the canonicalization bugs I’ve discussed occur when user input is passed between multiple components in a system. If the first component to receive user input does not fully canonicalize the input before passing the data to the second component, the system is at risk.

Windows can represent filenames in many ways, due in part to extensibility capabilities and backward compatibility. If you accept a filename and use it for any security decision, it is crucial that you read this section.

String SensitiveFiles[] = {"Fiscal02Budget.xls", "ProductPlans.Doc"};
IPAddress RestrictedIP[] = {172.30.0.0, 192.168.200.0};

BOOL AllowAccessToFile(FileName, IPAddress) {
    If (FileName In SensitiveFiles[] && IPAddress In RestrictedIP[])
        Return FALSE;
    Else
        Return TRUE;
}

BOOL fAllow = FALSE;
//This will deny access.
fAllow = AllowAccessToFile("Fiscal02Budget.xls", "172.30.43.12");

//This will allow access. Ouch!
fAllow = AllowAccessToFile("FISCAL~1.XLS", "172.30.43.1 2");

#include <strsafe.h>
char b[20];
StringcbCopy(b, sizeof(b), "Hello!");
HANDLE h = CreateFile("c:\somefile.txt",
                      GENERIC_WRITE,
                      0, NULL,
                      CREATE_ALWAYS,
                      FILE_ATTRIBUTE_NORMAL,
                      NULL);
if (h != INVALID_HANDLE_VALUE) {
    DWORD dwNum = 0;
    WriteFile(h, b, lstrlen(b), &dwNum, NULL);
    CloseHandle(h);
}

h = CreateFile("c:\somefile.txt.", //Trailing dot
               GENERIC_READ,
               0, NULL,
               OPEN_EXISTING,
               FILE_ATTRIBUTE_NORMAL,
               NULL);
if (h != INVALID_HANDLE_VALUE) {
    char b[20];
    DWORD dwNum =0;
    ReadFile(h, b, sizeof b, &dwNum, NULL);
    CloseHandle(h);
}

America Online (AOL) 5.0 added controls so that parents could prevent their children from accessing certain Web sites. When a user typed a URL in the browser, the software checked the Web site name against a list of restricted sites, and if it found the site on the list, access to that site was blocked. Here’s the flaw: if the user added a period to the end of the host name, the software allowed the user to access the site. My guess is that the vulnerability existed because the software did not take into consideration the trailing dot when performing a string compare against the list of disallowed Web sites, and the software stripped out invalid characters from the URL after the check had been made.

The bug is now rectified. More information on this vulnerability can be found at http://www.slashdot.org/features/00/07/15/0327239.shtml.

The irony of this example is that the vulnerabilities were found in a security product, SecureIIS, designed to protect Microsoft Internet Information Services (IIS) from attack. Marketing material from eEye (http://www.eeye.com) describes SecureIIS like so:

Two canonicalization bugs were found in the product. The first related to how SecureIIS handled specific keywords. For example, say you decided that a user (or attacker) should not have access to a specific area of the Web site if he entered a URL query string containing action=delete. An attacker could escape any character in the query string to bypass the SecureIIS settings. Rather than entering action=delete, the attacker could enter action=%64elete and obtain the desired access. %64 is the hexadecimal representation of the letter d.

The other bug related to how SecureIIS checked for characters that were used to traverse out of a Web directory to other directories. For example, as a Web site developer or administrator, you wouldn’t want users accessing a URL like http://www.northwindtraders.com/scripts/process.asp?file=../../../winnt/repair/sam, which returns the backup SAM database to the user. The traversal characters are the two dots (..) and the slash (/), which SecureIIS looks for. However, an attacker can bypass the check by typing http://www.northwindtraders.com/scripts/process.asp?file=%2e%2e/%2e%2e/%2e%2e/winnt/repair/sam. As you’ve probably worked out, %2e is the escaped representation of the dot in hexadecimal!

You can read more about this vulnerability at http://www.securityfocus.com/bid/2742.

Security zones, introduced in Internet Explorer 4 (exported by UrlMon.dll), are an easy way to administer security because they allow you to gather security settings into easy-to-manage groups. These settings are enforced as the user browses Web sites. Each Web page is handled according to specific security restrictions depending on the page’s host Web site, thereby tying security restrictions to Web page origin.

Internet Explorer 4 uses a simple heuristic to determine whether a Web site is located in the more trusted Local Intranet Zone or in the less trusted Internet Zone. If a Web site name contains one or more dots, such as http://www.microsoft.com, the site must be in the Internet Zone unless the user has explicitly placed the Web site in some other zone. If the site has no dots in its name, such as http://northwindtraders, it must be in the Local Intranet Zone because only a NetBIOS name, which has no dots, can be accessed from within the local intranet. Makes sense, right? Not quite!

This mechanism has a wrinkle: if the user enters the IP address of a remote computer, Internet Explorer will apply the security settings of the more restrictive Internet Zone, even if the site is on the local intranet. This is good because the browser will use more stringent security checks. However, an IP address can be represented as a dotless-IP address, which can be calculated by taking a dotted-IP address—that is, an address in the form a.b.c.d—and applying the following formula:

Dotless-IP = (a × 16777216) + (b × 65536) + (c × 256) + d

For example, 192.168.197.100 is the same as 3232286052. If you enter http:/ /192.168.197.100 in Internet Explorer 4, the browser will invoke security policies for the Internet Zone, which is correct. And if you enter http://3232286052 in the unpatched Internet Explorer 4, the browser will notice no dots in the name, place the site in the Local Intranet Zone, and apply the less restrictive security policy. This might lead to a malicious Internet-based Web site executing code in the less secure environment.

More information is available at http://www.microsoft.com/technet/security/bulletin/MS98-016.asp.

I remember the IIS ::$DATA vulnerability well because I was on the IIS team at the time the bug was found. Allow me to go over a little background material. The NTFS file system built into Microsoft Windows NT and later is designed to be a superset of many other file systems, including the Apple Macintosh HFS file system, which supports two sets of data, or forks, in a disk-based file. These forks are called the data fork and the resource fork. (You can read more about this at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q147438) To help support these files, NTFS provides multiple-named data streams. For example, you could create a new stream named test in a file named Bar.txt—that is, bar.txt:test—by using the following code:

char *szFilename = "c:\temp\bar.txt:test";
HANDLE h = CreateFile(szFilename,
                      GENERIC_WRITE,
                      0, NULL,
                      CREATE_ALWAYS,
                      FILE_ATTRIBUTE_NORMAL,
                      NULL);
if (h == INVALID_HANDLE_VALUE) {
    printf("Error CreateFile() %d", GetLastError());
    return;
}

char *bBuff = "Hello, stream world!";
DWORD dwWritten = 0;
if (WriteFile(h, bBuff, lstrlen(bBuff), &dwWritten, NUL L)) {
    printf("Cool!");
} else {
    printf("Error WriteFile() %d", GetLastError());
}

This example code is available in the companion content in the folder Secureco2Chapter11NTFSStream. You can view the contents of the file from the command line by using the following syntax:

more < bar.txt:test    

You can also use the echo command to insert a stream into a file and then view the contents of the file:

echo Hello, Stream World! > bar.txt:test
more < bar.txt:test

Doing so displays the contents of the stream on the console. The "normal" data in a file is held in a stream that has no name, and it has an internal NTFS data type of $DATA. With this in mind, you can also access the default data stream in an NTFS file by using the following command-line syntax:

more < boot.ini::$DATA

Figure 11-1 outlines what this file syntax means.

Figure 11-1. The NTFS file system stream syntax.

An NTFS stream name follows the same naming rules as an NTFS filename, including all alphanumeric characters and a limited set of punctuation characters. For example, two files, john3 and readme, with streams named 16 and now, respectively, would become john3:16 and readme:now. Any combination of valid filename characters is allowed.

Back to the vulnerability. When IIS receives a request from a user, the server looks at the file extension and determines what it should do with the request. For example, if the file ends in .asp, the request must be for an Active Server Pages (ASP) file, so the server routes the request to Asp.dll for processing. If IIS does not recognize the extension, the request is sent directly to Windows for processing so that the contents of the file can be shown to the user. This functionality is handled by the static-file handler. Think of this as a big default switch in a switch statement. So if the user requests Data.txt and no special extension handler, called a script map, associated with the .txt file extension is found, the source code of the text file is sent to the user.

The vulnerability lies in the attacker requesting a file such as Default.asp::$DATA. When IIS evaluates the extension, it does not recognize .asp::$DATA as a file extension and passes the file to the operating system for processing. NTFS determines that the user requested the default data stream in the file and returns the contents of Default.asp, not the processed result, to the attacker.

You can find out more about this bug at http://www.microsoft.com/technet/security/bulletin/MS98-003.asp.

A recent vulnerability is processing lines that include carriage return or carriage return/line feed characters. Imagine your application logs client requests, and as an example, a client requests file.txt. Your server application logs the IP address of the client, his name, the date and time, and the requested resource in the following format:

172.23.11.19 Mike 2002-09-03 13:02:43 file.txt

Imagine that an attacker decides to access a file named file.txt 127.0.0.1 Cheryl 2002-09-03 13:03:00 secretfile.txt, which results in this log entry:

172.23.11.19   Mike          2002-09-03    13:02:43    file.txt
127.0.0.1      Cheryl        2002-09-03    13:03:00    secretfile.txt

Does this mean that Cheryl accessed a sensitive file by logging on the server (127.0.0.1)? No, it does not. The attacker forced a new entry in the log file by using a carriage return and line feed character in the requested resource! You can read more about this vulnerability at http://online.securityfocus.com/archive/82/271498/2002-05-09/2002-05-15/2.

What makes Web-based canonicalization issues so prevalent and hard to defend against is the number of ways you can represent any character. For example, any character can be represented in a URL or a Web page by using one or more of the following mechanisms:

The simplest, and by far the most effective way of avoiding canonicalization bugs is to avoid making decisions based on the filename. Let the file system and operating system do the work for you, and use ACLs or other operating system–based authorization technologies. Of course, it’s not quite as simple as that! Some security semantics cannot currently be represented in the file system. For example, IIS supports scripting. In other words, a script file, such as an ASP page containing Visual Basic Scripting Edition (VBScript) or Microsoft JScript, is read and processed by a script engine, and the results of the script are sent to the user. This is not the same as read access or execute access; it’s somewhere in the middle. IIS, not the operating system, has to determine how to process the file. All it takes is a mistake in IIS’s canonicalization, such as that in the ::$DATA exploit, and IIS sends the script file source code to the user rather than processing the file correctly.

As mentioned, you can limit access to resources based on the user’s IP address. However, this security semantics currently cannot be represented as an ACL, and applications supporting restrictions based on IP address, Domain Name System (DNS) name, or subnet must use their own access code.

I covered this in detail in Chapter 10, but it’s worth repeating. If you must make name-based security decisions, restrict what you consider a valid name and deny all other formats. For example, you might require that all filenames be absolute paths containing a restricted pool of characters. Or you might decide that the following must be true for a file to be determined as valid:

The easiest way to do this is to use regular expressions. Learning to define and use good regular expressions is critical to the security of your application. A regular expression is a series of characters that define a pattern which is then compared with target data, such as a string, to see whether the target includes any matches of the pattern. For example, the following regular expression will represent the example absolute path just described:

^[cd]:(?:\w+)+\w{1,32}.(txt|jpg|gif)$

Refer to Chapter 10 for details about what this expression means.

This expression is strict—the following are valid:

The following are invalid:

As you can see, using this simple expression can drastically reduce the possibility of using a noncanonical name. However, it does not detect whether a filename represents a device; we’ll look at that shortly.

You should also consider preventing the file system from generating short filenames. This is not a programmatic option—it’s an administrative setting. You can stop Windows from creating 8.3 filenames by adding the following setting to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystem registry key:

NtfsDisable8dot3NameCreation : REG_DWORD : 1

This option does not remove previously generated 8.3 filenames.

Never depend on the PATH environment variable to find files. You should be explicit about where your files reside. For all you know, an attacker might have changed the PATH to read c:myhacktools;%systemroot% and so on! When was the last time you checked the PATH on your systems? The lesson here is to use full path names to your data and executable files, rather than relying on an untrusted variable to determine which files to access.

Restricting what is valid in a filename and rejecting all else is reasonably safe, as long as you use a good regular expression. However, if you want more flexibility, you might need to attempt to canonicalize the filename for yourself, and that’s the next topic.

Canonicalizing a filename is not as hard as it seems; you just need to be aware of some Win32 functions to help you. The goal of canonicalization is to get as close as possible to the file system’s representation of the file in your code and then to make decisions based on the result. In my opinion, you should get as close as possible to the canonical representation and reject the name if it still does not look valid. For example, the CleanCanon application I’ve written performs robust canonicalization functions as described in the following steps:

Let’s look at this Win32 C++ code, written using Visual C++ .NET, that performs these steps:

/*
    CleanCanon.cpp
*/
#include "stdafx.h"
#include "atlrx.h"
#include "strsafe.h"
#include <new>

enum errCanon {
    ERR_CANON_NO_ERROR = 0,
    ERR_CANON_INVALID_FILENAME,
    ERR_CANON_INVALID_PATH,
    ERR_CANON_NOT_A_FILE,
    ERR_CANON_NO_FILE,
    ERR_CANON_NO_PATH,
    ERR_CANON_TOO_BIG,
    ERR_CANON_NO_MEM};

errCanon GetCanonicalFileName(LPCTSTR szFilename, 
                              LPCTSTR szDir,
                              LPTSTR  *pszNewFilename) {

    //STEP 1
    //Must provide a path and must be smaller than MAX_PATH
    if (szDir == NULL)
      return ERR_CANON_NO_PATH;

   size_t cchDirLen = 0;
   if (StringCchLength(szDir,MAX_PATH,&cchDirLen) != S_OK ||
            cchDirLen > MAX_PATH)
      return ERR_CANON_TOO_BIG;

   *pszNewFilename = NULL;
   LPTSTR szTempFullDir = NULL;
   HANDLE hFile = NULL;

   errCanon err = ERR_CANON_NO_ERROR;

   try {
      //STEP 2 
      //Check filename is valid (alphanum ’.’ 1-4 alphanums)
      //Check path is valid (alphanum and ’’ only)
      //Case insensitive
      CAtlRegExp<> reFilename, reDirname;
      CAtlREMatchContext<> mc;
      reFilename.Parse(_T("^\a+\.\a\a?\a?\a?$"),FALSE);
      if (!reFilename.Match(szFilename,&mc))
         throw ERR_CANON_INVALID_FILENAME;

      reDirname.Parse(_T("^\c:\\[a-z0-9\\]+$"),FALSE);
      if (!reDirname.Match(szDir,&mc))
         throw ERR_CANON_INVALID_FILENAME;

      size_t cFilename = lstrlen(szFilename);
      size_t cDir = lstrlen(szDir);

      //Temp new buffer size, allow for added ’’
      size_t cNewFilename = cFilename + cDir + 1;

      //STEP 3
      //Make sure filesize is small enough
      if (cNewFilename > MAX_PATH)
         throw ERR_CANON_TOO_BIG;

      //Allocate memory for the new filename
      //Accommodate for prefix \? and for trailing ’’
      LPCTSTR szPrefix = _T("\\?\");
      size_t cchPrefix = lstrlen(szPrefix);
      size_t cchTempFullDir = cNewFilename + 1 + cchPrefix;
      szTempFullDir = new TCHAR[cchTempFullDir];
      if (szTempFullDir == NULL)
         throw ERR_CANON_NO_MEM;

      //STEP 4 
      //Join the dir and filename together. 
      //Prepending \? forces the OS to treat many characters 
      //literally by not performing extra interpretation/canon steps
      if (StringCchPrintf(szTempFullDir,
                          cchTempFullDir,
                         _T("%s%s\%s"),
                         szPrefix,
                         szDir,
                         szFilename) != S_OK)
         throw ERR_CANON_INVALID_FILENAME;

      // STEP 5 
      // Get the full path, 
      // Accommodates for .. and trailing ’.’ and spaces
      TCHAR szFullPathName [MAX_PATH + 1];
      LPTSTR szFilenamePortion = NULL;
      DWORD dwFullPathLen = 
         GetFullPathName(szTempFullDir,
                         MAX_PATH,
                         szFullPathName,
                         &szFilenamePortion);
      if (dwFullPathLen > MAX_PATH)
         throw ERR_CANON_NO_MEM;

      // STEP 6 
      // Get the long filename
      if (GetLongPathName(szFullPathName,
                          szFullPathName,
                          MAX_PATH) == 0) {
         errCanon errName = ERR_CANON_TOO_BIG;
         switch (GetLastError()) {
            case ERROR_FILE_NOT_FOUND : 
                     errName = ERR_CANON_NO_FILE;
                     break;

            case ERROR_NOT_READY :
            case ERROR_PATH_NOT_FOUND :
                     errName = ERR_CANON_NO_PATH;
                     break;

            default : break;
         }

         throw errName; 
      }

      // STEP 7
      // Is this a file or a device?
      hFile = CreateFile(szFullPathName,
                         0,0,NULL,
                         OPEN_EXISTING,
                     SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION,
                         NULL);
      if (hFile == INVALID_HANDLE_VALUE)
         throw ERR_CANON_NO_FILE;

      if (GetFileType(hFile) != FILE_TYPE_DISK)
         throw ERR_CANON_NOT_A_FILE;

      //Looks good!
      //Caller must delete [] pszNewFilename
      const size_t cNewFilenane = lstrlen(szFullPathName)+1;
      *pszNewFilename =  new TCHAR[cNewFilenane];
      if (*pszNewFilename != NULL)
         StringCchCopy(*pszNewFilename,cNewFilenane,szFullPathName);
      else
         err = ERR_CANON_NO_MEM;

   } catch(errCanon e) {
      err = e;
   } catch (std::bad_alloc a) {
      err = ERR_CANON_NO_MEM;
   }

   delete [] szTempFullDir;
   if (hFile) CloseHandle(hFile);

   return err;
}

The complete code listing is available in the companion content, in the folder Secureco2Chapter11CleanCanon. CreateFile has a side effect when it’s determining whether the file is a drive-based file. The function will fail if the file does not exist, saving your application from performing the check.

You may have noticed that dwFlagsAndAttributes flags is nonzero in the CreateFile call in the previous code. There’s a good reason for this. This code does nothing more than verify that a filename is valid, and is not a device or an interprocess communication mechanism, such as a mailslot or a named pipe. That’s it. If it were a named pipe, the process owning the pipe could impersonate the process identity of the code making the request. However, in the interests of security, I don’t want any code I don’t trust impersonating me. So setting this flag prevents the code at the "other end" impersonating you.

Note that there is a small issue with setting this flag, although it doesn’t affect this code, because the code is not attempting to manipulate the file. The problem is that the constant SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION is the same as FILE_FLAG_OPEN_NO_RECALL, which indicates the file is not to be pulled from remote storage if the file exists. This flag is intended for use by the Hierarchical Storage Management system or remote storage systems.

Now let’s move our focus to fixing Web-based canonical representation issues.

The next best remedy is to restrict what is considered a valid user request. You created the resources being protected, and so you can define the valid ways to access that data and reject all other requests. Once again, validity is tested using regular expressions. I’ll say it just one more time: always determine what is valid input and reject all other input. It’s safer to have a client complain that something doesn’t work because of an overzealous regular expression than have the service not work because it’s been hacked!

If you must manipulate UTF-8 characters, you need to reduce the data to its canonical form by using the MultiByteToWideChar function in Windows. The following sample code shows how you can call this function with various valid and invalid UTF-8 characters. You can find the complete code listing in the companion content in the folder Secureco2Chapter11UTF8. Also note that if you want to create UTF-8 characters, you can use WideCharToMultiByte by setting the code page to CP_UTF8.

void FromUTF8(LPBYTE pUTF8, DWORD cbUTF8) {
    WCHAR wszResult[MAX_CHAR+1];
    DWORD dwResult = MAX_CHAR;

    int iRes = MultiByteToWideChar(CP_UTF8,
                  0,
                  (LPCSTR)pUTF8,
                  cbUTF8,
                  wszResult,
                  dwResult);

    if (iRes == 0) {
        DWORD dwErr = GetLastError();
        printf("MultiByteToWideChar() failed - > %d
", dwErr);
    } else {
        printf("MultiByteToWideChar() returned "
               "%S (%d) wide characters
",
               wszResult,
               iRes);
    }
}


void main() {
    //Get Unicode for 0x5c; should be ’’.
    BYTE pUTF8_1[] = {0x5C};
    DWORD cbUTF8_1 = sizeof pUTF8_1;
    FromUTF8(pUTF8_1, cbUTF8_1);

    //Get Unicode for 0xC0 0xAF. 
    //Should fail because this is 
    //an overlong ’/’.
    BYTE pUTF8_2[] = {0xC0, 0xAF};
    DWORD cbUTF8_2 = sizeof pUTF8_2;
    FromUTF8(pUTF8_2, cbUTF8_2);

    //Get Unicode for 0xC2 0xA9; should be 
    //a ’©’ symbol.
    BYTE pUTF8_3[] = {0xC2, 0xA9};
    DWORD cbUTF8_3 = sizeof pUTF8_3;
    FromUTF8(pUTF8_3, cbUTF8_3);
}

ISAPI applications and ISAPI filters are probably the most vulnerable technologies, because they are often written in relatively low-level C or C++, they handle Web requests and response, and they manipulate files. If you are writing ISAPI applications for IIS6 you should use the SCRIPT_TRANSLATED server variable, as it will return a correctly canonicalized filename based on the URL to your code, rather than you performing the work and probably getting it wrong.

Servers, be they Web servers, file and print servers, or e-mail servers, can be named in a number of ways. The most common way to name a computer is to use a DNS name—for example, northwindtraders.com. Another common way is to use an IP address, such as 192.168.197.100. Either name will access the same server from the client code. Also, a local computer can be known as localhost and can have an IP address in the 127.n.n.n subnet. And if the server is on an internal Windows network, the computer can also be accessed by its NetBIOS same, such as \northwindtraders.

So, what if your code makes a security decision based on the name of the server? It’s up to you to determine what an appropriate canonical representation is and to compare names against that, failing all names that do not match. The following code can be used to gather various names of a local computer:

/*
    CanonServer.cpp
*/
for (int i = ComputerNameNetBIOS; 
    i <= ComputerNamePhysicalDnsFullyQualified; 
    i++) {

    TCHAR szName[256];
    DWORD dwLen = sizeof szName / sizeof TCHAR;

    TCHAR *cnf;
    switch(i) {
        case 0 : cnf = "ComputerNameNetBIOS"; break;
        case 1 : cnf = "ComputerNameDnsHostname"; break ;
        case 2 : cnf = "ComputerNameDnsDomain"; break;
        case 3 : cnf = "ComputerNameDnsFullyQualified";  break;
        case 4 : cnf = "ComputerNamePhysicalNetBIOS"; break;
        case 5 : cnf = "ComputerNamePhysicalDnsHostname "; break;
        case 6 : cnf = "ComputerNamePhysicalDnsDomain";  break;
        case 7 : cnf = "ComputerNamePhysicalDnsFullyQualified"; break;
        default : cnf = "Unknown"; break;
    }

    BOOL fRet =
        GetComputerNameEx((COMPUTER_NAME_FORMAT)i,
                          szName,
                          &dwLen);

    if (fRet) {
        printf("%s in ’%s’ format.
", szName, cnf);
    } else {
        printf("Failed %d", GetLastError());
    }
}

The complete code listing is available in the companion content in the folder Secureco2Chapter11CanonServer. You can get the IP address or addresses of the computer by calling the Windows Sockets (Winsock) getaddrinfo function or by using Perl. You can use the following code:

my ($name, $aliases, $addrtype, $length, @addrs) 
    = gethostbyname "mymachinename";
foreach (@addrs) {
    my @addr = unpack(‘C4’, $_);
    print "IP: @addr
";
}

Finally, we come to usernames. Historically, Windows supported one form of username: DOMAINUserName, where DOMAIN is the name of the user’s domain and UserName is, obviously, the user’s name. This is also referred to as the SAM (Security Account Manager) name. For example, if Blake is in the DEVELOPMENT domain, his account would be DEVELOPMENTBlake. However, with the advent of Windows 2000, the user principal name (UPN) was introduced, which follows the now-classic and well-understood e-mail address format of user@domain—for example, [email protected].

Take a look at the following code:

bool AllowAccess(char *szUsername) {
    char *szRestrictedDomains[]={"MARKETING", "SALES"};
    for (i = 0; 
         i < sizeof szRestrcitedDomains /
             sizeof szRestrcitedDomains[0]; 
         i++)
        if (_strncmpi(szRestrictedDomains[i],
                      szUsername,
                      strlen(szRestrictedDomains[i]) ==  0)
            return false;
    return true;
}

This code will return false for anyone in the MARKETING or SALES domain. For example, MARKETINGBrian will return false because Brian is in the MARKETING domain. However, if Brian had the valid UPN name [email protected], this function would return true because the name format is different, which causes the case-insensitive string comparison function to always return a nonzero (nonmatch) value.

Windows 2000 and later have a canonical name—it’s the SAM name. All user accounts must have a unique SAM name to be valid on a domain, regardless of whether the domain is Windows NT 4, Windows 2000, Windows 2000 running Active Directory, or Windows XP.

You can use the GetUserNameEx function to determine the canonical user name, like so:

/*
    CanonUser.cpp
*/
#define SECURITY_WIN32
#include <windows.h>
#include <security.h>

for (int i = NameUnknown ; 
     i <= NameServicePrincipal; 
     i++) {

    TCHAR szName[256];
    DWORD dwLen = sizeof szName / sizeof TCHAR;

    TCHAR *enf = NULL;
    switch(i) {
        case 0 : enf = "NameUnknown"; break;
        case 1 : enf = "NameFullyQualifiedDN"; break;
        case 2 : enf = "NameSamCompatible"; break;
        case 3 : enf = "NameDisplay"; break;
        case 4 : enf = "NameUniqueId"; break;
        case 5 : enf = "NameCanonical"; break;
        case 6 : enf = "NameUserPrincipal"; break;
        case 7 : enf = "NameUserPrincipal"; break;
        case 8 : enf = "NameServicePrincipal"; break;
        default : enf = "Unknown"; break;
    }

    BOOL fRet =
        GetUserNameEx((EXTENDED_NAME_FORMAT)i,
                      szName,
                      &dwLen);

    if (fRet) {
        printf("%s in ’%s’ format.
", szName, enf);
    } else {
        printf("%s failed %d
", enf, GetLastError());
    }
}

You can also find this example code in the companion content in the folder Secureco2Chapter11CanonUser. Don’t be surprised if you see some errors; some of the extended name formats don’t apply directly to users.

Finally, you should refrain from making access control decisions based on the username. If possible, use ACLs.