Vulnerability Development mailing list archives
Re: ImpersonateNamedPipeClient
From: Matt Conover <shok () CAMEL ETHEREAL NET>
Date: Thu, 3 Aug 2000 15:14:20 -0700
For example I wrote some code so when a remote computer connects to a certain named pipe on my system that it spawns a cmd.exe (basically like how most windows buffer overflow shellcode works) with the access rights of that remote user. So I find some idiot working at a company, send them the trojan, and then have a dos prompt to that remote users machine which I can then use to locally exploit their NT server to then become SYSTEM.
My understanding (I'll try to get it verified) was that you can only impersonate an account on the machine (the account could be on the domain, also). I.e., it would be similar to logging into the machine, which requires privileges.
There are security risks with named pipes beyond local named pipes. Clients can be vulnerable.
My comment that clients are not vulnerable is based on the assumption that I stated above--if this is wrong, then my statement is wrong, but I'm told that a valid account on the server side is required.
Current thread:
- ImpersonateNamedPipeClient() vulnerabilities Mikael Olsson (Aug 02)
- Re: ImpersonateNamedPipeClient -- "How Named Pipe Security Works" Matt Conover (Aug 03)
- Re: ImpersonateNamedPipeClient -- "How Named Pipe Security Works" Mikael Olsson (Aug 03)
- Re: ImpersonateNamedPipeClient -- "How Named Pipe Security Works" Matt Conover (Aug 03)
- Re: "How Named Pipe Security Works" (update) Matt Conover (Aug 03)
- Re: ImpersonateNamedPipeClient -- "How Named Pipe Security Works" Marc (Aug 03)
- Re: ImpersonateNamedPipeClient Matt Conover (Aug 03)
- Re: ImpersonateNamedPipeClient -- "How Named Pipe Security Works" Mikael Olsson (Aug 03)
- Re: ImpersonateNamedPipeClient -- "How Named Pipe Security Works" Matt Conover (Aug 03)