This reminds me of the named pipes prediction vulnerability. I beleive the function in question is utilized by the PipeUpAdmin code (http://www.dogmile.com/files/pipeup.html). ----- Original Message ----- From: "Minchu Mo" <morris_minchuat_private> To: <vuln-devat_private> Sent: Monday, December 10, 2001 3:56 AM Subject: Why MS namedpipe work this way > > > microsoft namedpipe allows the namedpipe server > use function ImpersonateNamedPipeClient() to > assume the security token of namedpipe client, > which in lots of case is system account. > > MSDN says, "This function can be useful in > determining whether to grant the request of a pipe > client. " This is OK if the client is normal user, but if > the client is system, as currently existing in many > Windows service, it can be hijacked by a > faked/hacking namedpipe server. I seen several > papers talking about exploit this. > > Would it be better to have this function > ImpersonateNamedPipeClient() work only in case > when namedpipe server have higher privilidge than > client. > ---------------------------------------------------- Sign Up for NetZero Platinum Today Only $9.95 per month! http://my.netzero.net/s/signup?r=platinum&refcd=PT97
This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 16:02:22 PST