Why MS namedpipe work this way

From: Minchu Mo (morris_minchuat_private)
Date: Mon Dec 10 2001 - 03:56:05 PST

Next message: Richard Masoner: "Re: buffer overflow question"

Previous message: Michal Zalewski: "Re: character injecting on linux console"
Next in thread: Robert Freeman: "Re: Why MS namedpipe work this way"
Reply: Robert Freeman: "Re: Why MS namedpipe work this way"
Reply: 3APA3A: "Re: Why MS namedpipe work this way"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) microsoft namedpipe allows the namedpipe server use function ImpersonateNamedPipeClient() to assume the security token of namedpipe client, which in lots of case is system account. MSDN says, "This function can be useful in determining whether to grant the request of a pipe client. " This is OK if the client is normal user, but if the client is system, as currently existing in many Windows service, it can be hijacked by a faked/hacking namedpipe server. I seen several papers talking about exploit this. Would it be better to have this function ImpersonateNamedPipeClient() work only in case when namedpipe server have higher privilidge than client.

Next message: Richard Masoner: "Re: buffer overflow question"
Previous message: Michal Zalewski: "Re: character injecting on linux console"
Next in thread: Robert Freeman: "Re: Why MS namedpipe work this way"
Reply: Robert Freeman: "Re: Why MS namedpipe work this way"
Reply: 3APA3A: "Re: Why MS namedpipe work this way"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 11:18:55 PST