Vulnerability Development mailing list archives
Re: Why MS namedpipe work this way
From: "Robert Freeman" <freem100 () chapman edu>
Date: Mon, 10 Dec 2001 14:34:10 -0800
This reminds me of the named pipes prediction vulnerability. I beleive the function in question is utilized by the PipeUpAdmin code (http://www.dogmile.com/files/pipeup.html). ----- Original Message ----- From: "Minchu Mo" <morris_minchu () iwon com> To: <vuln-dev () securityfocus com> Sent: Monday, December 10, 2001 3:56 AM Subject: Why MS namedpipe work this way
microsoft namedpipe allows the namedpipe server use function ImpersonateNamedPipeClient() to assume the security token of namedpipe client, which in lots of case is system account. MSDN says, "This function can be useful in determining whether to grant the request of a pipe client. " This is OK if the client is normal user, but if the client is system, as currently existing in many Windows service, it can be hijacked by a faked/hacking namedpipe server. I seen several papers talking about exploit this. Would it be better to have this function ImpersonateNamedPipeClient() work only in case when namedpipe server have higher privilidge than client.
---------------------------------------------------- Sign Up for NetZero Platinum Today Only $9.95 per month! http://my.netzero.net/s/signup?r=platinum&refcd=PT97
Current thread:
- Why MS namedpipe work this way Minchu Mo (Dec 10)
- Re: Why MS namedpipe work this way Robert Freeman (Dec 10)
- Re: Why MS namedpipe work this way 3APA3A (Dec 11)
- Re: Why MS namedpipe work this way Ryan Permeh (Dec 11)