Vulnerability Development mailing list archives
Why MS namedpipe work this way
From: Minchu Mo <morris_minchu () iwon com>
Date: 10 Dec 2001 11:56:05 -0000
microsoft namedpipe allows the namedpipe server use function ImpersonateNamedPipeClient() to assume the security token of namedpipe client, which in lots of case is system account. MSDN says, "This function can be useful in determining whether to grant the request of a pipe client. " This is OK if the client is normal user, but if the client is system, as currently existing in many Windows service, it can be hijacked by a faked/hacking namedpipe server. I seen several papers talking about exploit this. Would it be better to have this function ImpersonateNamedPipeClient() work only in case when namedpipe server have higher privilidge than client.
Current thread:
- Why MS namedpipe work this way Minchu Mo (Dec 10)
- Re: Why MS namedpipe work this way Robert Freeman (Dec 10)
- Re: Why MS namedpipe work this way 3APA3A (Dec 11)
- Re: Why MS namedpipe work this way Ryan Permeh (Dec 11)