('binary' encoding is not supported, stored as-is) microsoft namedpipe allows the namedpipe server use function ImpersonateNamedPipeClient() to assume the security token of namedpipe client, which in lots of case is system account. MSDN says, "This function can be useful in determining whether to grant the request of a pipe client. " This is OK if the client is normal user, but if the client is system, as currently existing in many Windows service, it can be hijacked by a faked/hacking namedpipe server. I seen several papers talking about exploit this. Would it be better to have this function ImpersonateNamedPipeClient() work only in case when namedpipe server have higher privilidge than client.
This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 11:18:55 PST