Vulnerability Development mailing list archives

Re: Why MS namedpipe work this way

From: "Robert Freeman" <freem100 () chapman edu>
Date: Mon, 10 Dec 2001 14:34:10 -0800

This reminds me of the named pipes prediction vulnerability. I beleive the
function in question is utilized by the PipeUpAdmin code
(http://www.dogmile.com/files/pipeup.html).

----- Original Message -----
From: "Minchu Mo" <morris_minchu () iwon com>
To: <vuln-dev () securityfocus com>
Sent: Monday, December 10, 2001 3:56 AM
Subject: Why MS namedpipe work this way



microsoft namedpipe allows the namedpipe server
use function ImpersonateNamedPipeClient() to
assume the security token of namedpipe client,
which in lots of case is system account.

MSDN says, "This function can be useful in
determining whether to grant the request of a pipe
client. "  This is OK if the client is normal user, but if
the client is system, as currently existing in many
Windows service, it can be hijacked by a
faked/hacking namedpipe server. I seen several
papers talking about exploit this.

Would it be better to have this function
ImpersonateNamedPipeClient() work only in case
when namedpipe server have higher privilidge than
client.


----------------------------------------------------
Sign Up for NetZero Platinum Today
Only $9.95 per month!
http://my.netzero.net/s/signup?r=platinum&refcd=PT97

Current thread:

Why MS namedpipe work this way Minchu Mo (Dec 10)
- Re: Why MS namedpipe work this way Robert Freeman (Dec 10)
- Re: Why MS namedpipe work this way 3APA3A (Dec 11)
  - Re: Why MS namedpipe work this way Ryan Permeh (Dec 11)