Microsoft Windows 2000 Service Control Manager Named Pipe Impersonation Vulnerability

[Mike Schiffman <michael.schiffman () guardent com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

G   U   A   R   D   E   N   T                        GUARDENT
SECURITY ADVISORY
secure digital infrastructure
A0108022000
- ----------------------------------------------------------------------
- ---------
Microsoft Windows 2000 Service Control Manager Named Pipe
Impersonation
Vulnerability

August 02, 2000

http://www.guardent.com/A0108022000.html
- ----------------------------------------------------------------------
- ---------

- -----------------
EXECUTIVE SUMMARY
- -----------------

A vulnerability in the way Windows 2000 handles named pipes allows
any
non-privileged user to elevate his or her current security context to
that of
an arbitrary service (started by the service control manager).  By
exploiting
this bug, a non-privileged local user can gain privileged access to
the system.


- ----------------
AFFECTED SYSTEMS
- ----------------

Guardent discovered and successfully exploited this vulnerability in
Microsoft Windows 2000.  Guardent's research and development team
notified
Microsoft when the vulnerability was initially found and worked with
them to
fix the problem.  You can read Microsoft's advisory here:

    http://www.microsoft.com/technet/security/bulletin/ms00-053.asp.


- -------------------
DETAILED DISCUSSION
- -------------------

The vulnerability resides in the communication algorithm used to
implement
a client/server architecture between the service control manager
(SCM) and the
services started by the SCM.  By exploiting this vulnerability, a
malicious or
unauthorized process has the opportunity to effectively become the
server-end
of a named pipe.  A service, started by the SCM, will connect to the
named
pipe, and after becoming the server-end of the pipe, the process has
the
ability to impersonate the security context of the client connected
to the
pipe, which in this case is an NT Service.

The first step involved in exploiting the vulnerability is to
determine what
the name of the next NT SCM control pipe will be.  This name can be
gleaned
from the registry:

    HKLM\System\CurrentControlSet\Control\ServiceCurrent.

Step two: increment the value and append it to the string:

    "\\.\pipe\net\NtControlPipe".

Step three: create a named pipe using this name and wait for pipe
clients.

Step four: after the pipe has been created, instruct the SCM to start
an
arbitrary service.  All services have a security descriptor
associated with
them that dictates to the SCM which users can perform which actions
to the
service in question.  Included with the release of Windows 2000 are
numerous services with a security descriptor that allows interactive
accounts to start them, and which also run as LocalSystem. One
example is
"ClipBook".

At this point, the service that was recently instructed to start has
connected
to the malicious pipe (rather than the SCM pipe as would normally
do).

Finally, the basic requirement for impersonation is to initiate a
ReadFile
call on the pipe.

The malicious process now has the ability to impersonate the security
context
of the client by using the call ImpersonateNamedPipeClient.  This
effectively
gives the malicious thread an impersonation token of the service that
has
connected to the pipe.

The malicious process now has the opportunity to perform privileged
operations
under the security context of the service that has connected to the
malicious
named pipe.  The process can now inject a remote thread, read process
memory,
or attempt to perform privilege elevation techniques to obtain
administrator
privileges.


- ------
REMEDY
- ------

Guardent notified Microsoft of this issue immediately after
discovering and
verifying the problem.  As a result, Microsoft was able to locate the
source
of the vulnerability and create a hotfix to alleviate the problem.
The hotfix
can be downloaded from:

    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23432.


- ----------------------
ADDITIONAL INFORMATION
- ----------------------

To contact the Guardent R&D team, please send email to:

    <guardentresearch () guardent com>

ALL CONTENTS OF THIS ADVISORY ARE COPYRIGHT 2000, GUARDENT, INC.


- -------------------
ABOUT GUARDENT, INC
- -------------------

Guardent is a next-generation digital security services firm offering
strategic
solutions for technology-enabled enterprises.  As a trusted security
advisor,
Guardent partners with clients to meet their requirements for the
continuous
innovation and development of their IT infrastructures, while
mitigating the
risks inherent in today's complex networked environments.

Headquartered in the heart of Boston's technology corridor, Guardent
has
operations in Washington, D.C., Minneapolis, San Francisco, Seattle,
Toronto,
and London.

Obtain more information on Guardent by calling 888.413.4344 or by
visiting
us on the web at http://www.guardent.com.

Press contact:     Dan McCall
                   Executive Vice President, Guardent, Inc.
                   dan.mccall () guardent com
                   617.513.6623

Technical contact: Mike Schiffman
                   Director, Research and Development, Guardent, Inc.
                   mike.schiffman () guardent com
                   888.413.4344

EOF

Mike D. Schiffman
Director of Research and Development
Guardent, Inc.
http://www.guardent.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBOYhJYAHhCsRVdxmnEQIG2wCg7/cFRgvcg9XzVw6e9/JRau4mqgcAoIu1
bQVxlfZFM4GW4QQbo7nnGN9z
=4cfL
-----END PGP SIGNATURE-----