Prevent superfluous pipe connectivity vulnerabilities

From: "mario.beutler" <mario.beutler@xxxxxxxxxx>
Date: 12 Feb 2007 06:11:36 -0800

Hello,

I just read "Discovering and Exploiting Named Pipe Security Flaws for
Fun and Profit" on http://www.blakewatts.com/namedpipepaper.html:

"3.2 Superfluous Pipe Connectivity
Superfluous pipe connectivity vulnerabilities occur when a client
application attempts to connect to a server-end of a named pipe,
oblivious to whether or not the server process has actually created
the named pipe in question. If the server-end of the named pipe is not
created, its software hasn't been installed, or the server software
has crashed, the client's security context may be usurped by a
malicious application that has created the pipe that the client
attempts to connect to. What's worse is that some applications
effectively poll their connection requests until it succeeds. This
effectively makes Windows Terminal Server very insecure if
applications that implement such an algorithm are used."

My Named Pipe client run with admin privileges (I really can not
change it) on a remote machine, and I don't need any kind of
impersonation. So I want to use CreateFile(SECURITY_SQOS_PRESENT |
SECURITY_ANONYMOUS) to protect my Named Pipe client (then
impersonating my client isn't possible?).
But then I read this: "When the named pipe, RPC, or DDE connection is
remote, the flags passed to CreateFile to set the impersonation level
are ignored." on http://msdn2.microsoft.com/en-us/library/
aa378832.aspx.

How can I protect my Named Pipe client against impersonating?

Thank you for your help,
Mario

BTW: MSDN wrote: "In this case (remote pipe), the impersonation level
of the client is determined by the impersonation levels enabled by the
server, which is set by a flag on the server's account in the
directory service." Is it the one and only solution? How do this
programmatically?

BTW2: Why the infomation "SECURITY_SQOS_PRESENT ignored on remote
pipes" is not found on the MSDN docs of CreateFile, and also not in
some important MSDN security articles which describe the flag
SECURITY_SQOS_PRESENT like
"Defend Your Apps and Critical User Info with Defensive Coding
Techniques" on
http://msdn.microsoft.com/msdnmag/issues/04/11/applockdown/default.aspx?print=true&loc=null
?

.

Prev by Date: RE: CAPICOM - Windows Server 2003 R2 64 bit - OLE automation error
Next by Date: Re: XP themes problem in Winlogon
Previous by thread: ldapbind failing against AD when using SSL
Next by thread: What is a MiniDriver for smart cards?
Index(es):
- Date
- Thread

Relevant Pages

Named Pipe Problem
... I am using Visual C++ version 8.x to create a named pipe client and ... up on a call to WriteFile on the named pipe when under load. ... windows. ... debug directory. ...
(microsoft.public.win32.programmer.networks)
Re: How to identify the process connecting to a named pipe ?
... I would always impersonate instead ... just point the named pipe client process to a process created with the ... user process connecting to a named pipe. ...
(microsoft.public.win32.programmer.kernel)
Re: Unable to create named pipe
... A named pipe client uses the CreateFile function to open a handle to a ... If the pipe exists but all of its instances are busy, ... the named pipe client uses the ...
(borland.public.delphi.language.objectpascal)