[VulnWatch] Pipe Filename Local Privilege Escalation FAQ

From: _at_stake Advisories (_at_stake)
Date: 07/09/03

  • Next message: Cisco Systems Product Security Incident Response Team: "[VulnWatch] Cisco Security Advisory: Denial-of-Service of TCP-based Services in CatOS"
    Date: Wed, 09 Jul 2003 08:40:49 -0700
    To: vulnwatch@vulnwatch.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    We have received several inquiries regarding the advisory, "Named
    Pipe Filename Local Privilege Escalation" that was published by
    @stake on 07/08/2003. These answers should clarify where the
    vulnerability actually lies so customers can make informed
    decisions on what may need to be fixed in their environments.

    1. Is SQL Server 7.0 vulnerable?

    The actual vulnerability is at the Windows NT/XP/2000 platform level,
    not at the application level. Any application that calls CreateFile
    based on user input and doesn't filter out named pipe names can be
    used as an attack vector to exploit this vulnerability. Since SQL
    Server 7.0 contains the xp_fileexist procedure, which calls
    CreateFile with user input, it is an attack vector. Instead of
    fixing this one attack vector Microsoft has fixed the actual design
    vulnerability with new privileges. If you are running SQL Server 7.0
    you should upgrade to Windows 2000 SP4 if local privilege
    escalation is a risk in your environment.

    There are potentially many other applications that can be used as
    attack vectors. We have made no attempt to find any other vectors
    at this time. SQL Server MSDE which is installed by many products is
    potentially another vector. A full list is here:

    http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13

    2. Are Windows NT 4.0, Windows XP, and Windows 2003 vulnerable?

    Windows NT 4.0 and Windows XP are.

    The MSDN documentation for SeImpersonatePrivilege states this:

    "Windows XP, Windows 2000 SP3 and earlier, Windows NT: This
    privilege is not supported."

    [line wrapped]
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
    security/security/authorization_constants.asp

    Windows 2000 SP4 and Windows 2003 are the only platforms that support
    the new privilege that fixes this issue.

    3. Has @stake conducted any extensive research on the potential
    impact on production systems when implementing SP4?

    We have not done any research on the impact of SP4 on production
    systems. We are not set up to do application regression testing.
    This is a major change for applications that must use
    impersonation. As with all service packs, acceptance testing is
    advised. The Microsoft KB article
    (http://support.microsoft.com/default.aspx?scid=kb;[LN];821546) does
    have troubleshooting tips for applications that require the
    impersonation privilege that are not started by the service control
    manager or the COM infrastructure.

    4. What are some other workarounds to this issue?

    Since this is a local privilege escalation issue it can be mitigated
    by only allowing administrators to logon locally to servers running
    applications that can be used as attack vectors. If you are running
    terminal services then only administrators should be given
    permission to connect.

    5. Why is there no Microsoft bulletin on this issue?

    Microsoft's policy is to not issue bulletins for vulnerabilities that
    are fixed in service packs.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPww3GEe9kNIfAm4yEQJErgCgzv63PpiKGQJKVcByXUAzJ5Sh1yoAoMIV
    b08pH5Ek0SxIddU8P5/WGYzh
    =0yaa
    -----END PGP SIGNATURE-----


  • Next message: Cisco Systems Product Security Incident Response Team: "[VulnWatch] Cisco Security Advisory: Denial-of-Service of TCP-based Services in CatOS"

    Relevant Pages

    • Pipe Filename Local Privilege Escalation FAQ
      ... Pipe Filename Local Privilege Escalation" that was published by ... The actual vulnerability is at the Windows NT/XP/2000 platform level, ... it is an attack vector. ...
      (Bugtraq)
    • [NT] Microsoft Windows Color Management Module Heap Buffer Overflow Vulnerability (MS08-046)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows Color Management Module Heap Buffer Overflow ... vulnerability in multiple versions of Microsoft Corp.'s Windows operating ... Keep in mind that this only blocks the attack vector through Windows ...
      (Securiteam)
    • Re: Privilege-escalation attacks on NT-based Windows are unfixable
      ... >>against the Windows messaging exploit in question. ... The application, since it's the one with the privilege, ... > service component and its desktop component through Windows messages, ... regardless of the privilege levels of either process. ...
      (comp.security.misc)
    • Re: Privilege-escalation attacks on NT-based Windows are unfixable
      ... >>against the Windows messaging exploit in question. ... The application, since it's the one with the privilege, ... > service component and its desktop component through Windows messages, ... regardless of the privilege levels of either process. ...
      (comp.os.ms-windows.nt.admin.security)
    • Re: Security - Permissions Configuration
      ... the ones found in the "Internet" permission set. ... on the User level Security Policy and Machine level Security ... already has under Windows. ... But even that privilege can be denied. ...
      (microsoft.public.dotnet.general)