A0108022000
Published: 2000-08-02 00:00:00
Updated: 2000-08-02 00:00:00
Guardent Security Advisory A0108022000
Microsoft Windows 2000 Service Control Manager Named Pipe Impersonation
Vulnerability
August 02, 2000
Executive Summary
A vulnerability in the way Windows 2000 handles named pipes allows any
non-privileged user to elevate his or her current security context to that of an
arbitrary service (started by the service control manager). By exploiting this bug, a
non-privileged local user can gain privileged access to the system.
Affected Systems
Guardent discovered and successfully exploited this vulnerability in Microsoft Windows
2000. Guardent's research and development team notified Microsoft when the
vulnerability was initially found and worked with them to fix the problem. You can read
Microsoft's advisory here:
http://www.microsoft.com/technet/security/bulletin/ms00-053.asp
Detailed Discussion
The vulnerability resides in the communication algorithm used to implement a
client/server architecture between the service control manager (SCM) and the
services started by the SCM. By exploiting this vulnerability, a malicious or
unauthorized process has the opportunity to effectively become the server-end of a
named pipe. A service, started by the SCM, will connect to the named pipe, and after
becoming the server-end of the pipe, the process has the ability to impersonate the
security context of the client connected to the pipe, which in this case is an NT
Service.
The first step involved in exploiting the vulnerability is to determine what the name of
the next NT SCM control pipe will be. This name can be gleaned from the registry:
HKLM\System\CurrentControlSet\Control\ServiceCurrent.
Step two: increment the value and append it to the string:
"\\.\pipe\net\NtControlPipe".
Step three: create a named pipe using this name and wait for pipe clients.
Step four: after the pipe has been created, instruct the SCM to start an arbitrary
service. All services have a security descriptor associated with them that dictates to
the SCM which users can perform which actions to the service in question. Included
with the release of Windows 2000 are numerous services with a security descriptor
that allows interactive accounts to start them, and which also run as LocalSystem. One
example is "ClipBook".
At this point, the service that was recently instructed to start has connected to the
malicious pipe (rather than the SCM pipe as would normally do).
Finally, the basic requirement for impersonation is to initiate a ReadFile call on the
pipe.
The malicious process now has the ability to impersonate the security context of the
client by using the call ImpersonateNamedPipeClient. This effectively gives the
malicious thread an impersonation token of the service that has connected to the pipe.
The malicious process now has the opportunity to perform privileged operations under
the security context of the service that has connected to the malicious named pipe.
The process can now inject a remote thread, read process memory, or attempt to
perform privilege elevation techniques to obtain administrator privileges.
Remedy
Guardent notified Microsoft of this issue immediately after discovering and verifying
the problem. As a result, Microsoft was able to locate the source of the vulnerability
and create a hotfix to alleviate the problem. The hotfix can be downloaded from:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23432
Additional Information
To contact the Guardent R&D team, please send email to:
guardentresearch@guardent.com
All contents of this advisory are copyright 2000 Guradent, Inc.
About Guardent, Inc.
Guardent is a next-generation digital security services firm offering strategic solutions
for technology-enabled enterprises. As a trusted security advisor, Guardent partners
with clients to meet their requirements for the continuous innovation and development
of their IT infrastructures, while mitigating the risks inherent in today's complex
networked environments.
Headquartered in the heart of Boston's technology corridor, Guardent has operations
in Washington, D.C., Minneapolis, San Francisco, Seattle, Toronto, and London.
Obtain more information on Guardent by calling 888.413.4344 or by visiting us on the
web at www.guardent.com.
Press Contact:
Dan McCall
Executive Vice President
Guardent, Inc.
dan.mccall@guardent.com
(617) 513-6623
Technical Contact:
Mike Schiffman
Director, Research and Development
Guardent, Inc.
michael.schiffman@guardent.com
(888) 413-4344
