Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs

Microsoft Windows 2000 Service Control Manager Named Pipe Vulnerability
A0108022000
Published: 2000-08-02 00:00:00
Updated: 2000-08-02 00:00:00

                                 Guardent Security Advisory A0108022000
                                 Microsoft Windows 2000 Service Control Manager Named Pipe Impersonation
                                 Vulnerability
                                 August 02, 2000

                                 Executive Summary
                                 A vulnerability in the way Windows 2000 handles named pipes allows any
                                 non-privileged user to elevate his or her current security context to that of an
                                 arbitrary service (started by the service control manager). By exploiting this bug, a
                                 non-privileged local user can gain privileged access to the system.

                                 Affected Systems
                                 Guardent discovered and successfully exploited this vulnerability in Microsoft Windows
                                 2000. Guardent's research and development team notified Microsoft when the
                                 vulnerability was initially found and worked with them to fix the problem. You can read
                                 Microsoft's advisory here:
                                 http://www.microsoft.com/technet/security/bulletin/ms00-053.asp

                                 Detailed Discussion
                                 The vulnerability resides in the communication algorithm used to implement a
                                 client/server architecture between the service control manager (SCM) and the
                                 services started by the SCM. By exploiting this vulnerability, a malicious or
                                 unauthorized process has the opportunity to effectively become the server-end of a
                                 named pipe. A service, started by the SCM, will connect to the named pipe, and after
                                 becoming the server-end of the pipe, the process has the ability to impersonate the
                                 security context of the client connected to the pipe, which in this case is an NT
                                 Service.

                                 The first step involved in exploiting the vulnerability is to determine what the name of
                                 the next NT SCM control pipe will be. This name can be gleaned from the registry:

                                     HKLM\System\CurrentControlSet\Control\ServiceCurrent.

                                 Step two: increment the value and append it to the string:

                                     "\\.\pipe\net\NtControlPipe".

                                 Step three: create a named pipe using this name and wait for pipe clients.

                                 Step four: after the pipe has been created, instruct the SCM to start an arbitrary
                                 service. All services have a security descriptor associated with them that dictates to
                                 the SCM which users can perform which actions to the service in question. Included
                                 with the release of Windows 2000 are numerous services with a security descriptor
                                 that allows interactive accounts to start them, and which also run as LocalSystem. One
                                 example is "ClipBook".

                                 At this point, the service that was recently instructed to start has connected to the
                                 malicious pipe (rather than the SCM pipe as would normally do).

                                 Finally, the basic requirement for impersonation is to initiate a ReadFile call on the
                                 pipe.

                                 The malicious process now has the ability to impersonate the security context of the
                                 client by using the call ImpersonateNamedPipeClient. This effectively gives the
                                 malicious thread an impersonation token of the service that has connected to the pipe.

                                 The malicious process now has the opportunity to perform privileged operations under
                                 the security context of the service that has connected to the malicious named pipe.
                                 The process can now inject a remote thread, read process memory, or attempt to
                                 perform privilege elevation techniques to obtain administrator privileges.

                                 Remedy
                                 Guardent notified Microsoft of this issue immediately after discovering and verifying
                                 the problem. As a result, Microsoft was able to locate the source of the vulnerability
                                 and create a hotfix to alleviate the problem. The hotfix can be downloaded from:

                                 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23432

                                 Additional Information
                                 To contact the Guardent R&D team, please send email to:
                                 guardentresearch@guardent.com

                                 All contents of this advisory are copyright 2000 Guradent, Inc.

                                 About Guardent, Inc.
                                 Guardent is a next-generation digital security services firm offering strategic solutions
                                 for technology-enabled enterprises. As a trusted security advisor, Guardent partners
                                 with clients to meet their requirements for the continuous innovation and development
                                 of their IT infrastructures, while mitigating the risks inherent in today's complex
                                 networked environments.

                                 Headquartered in the heart of Boston's technology corridor, Guardent has operations
                                 in Washington, D.C., Minneapolis, San Francisco, Seattle, Toronto, and London.

                                 Obtain more information on Guardent by calling 888.413.4344 or by visiting us on the
                                 web at www.guardent.com.

                                 Press Contact:
                                 Dan McCall
                                 Executive Vice President        
                                 Guardent, Inc.
                                 dan.mccall@guardent.com
                                 (617) 513-6623

                                                       Technical Contact:
                                                       Mike Schiffman
                                                       Director, Research and Development
                                                       Guardent, Inc.
                                                       michael.schiffman@guardent.com
                                                       (888) 413-4344







 

Privacy Statement
Copyright 2008, SecurityFocus