Vulnerability Development mailing list archives

Re: ImpersonateNamedPipeClient

From: Matt Conover <shok () CAMEL ETHEREAL NET>
Date: Thu, 3 Aug 2000 15:14:20 -0700

For example I wrote some code so when a remote computer connects to a
certain named pipe on my system that it spawns a cmd.exe (basically like how
most windows buffer overflow shellcode works) with the access rights of that
remote user. So I find some idiot working at a company, send them the
trojan, and then have a dos prompt to that remote users machine which I can
then use to locally exploit their NT server to then become SYSTEM.


My understanding (I'll try to get it verified) was that you can only
impersonate an account on the machine (the account could be on the domain,
also).  I.e., it would be similar to logging into the machine, which
requires privileges.

There are security risks with named pipes beyond local named pipes. Clients
can be vulnerable.


My comment that clients are not vulnerable is based on the assumption that
I stated above--if this is wrong, then my statement is wrong, but I'm told
that a valid account on the server side is required.

Current thread:

ImpersonateNamedPipeClient() vulnerabilities Mikael Olsson (Aug 02)
- Re: ImpersonateNamedPipeClient -- "How Named Pipe Security Works" Matt Conover (Aug 03)
  - Re: ImpersonateNamedPipeClient -- "How Named Pipe Security Works" Mikael Olsson (Aug 03)
    - Re: ImpersonateNamedPipeClient -- "How Named Pipe Security Works" Matt Conover (Aug 03)
  - Re: "How Named Pipe Security Works" (update) Matt Conover (Aug 03)
  - Re: ImpersonateNamedPipeClient -- "How Named Pipe Security Works" Marc (Aug 03)
    - Re: ImpersonateNamedPipeClient Matt Conover (Aug 03)