Microsoft Windows 2000 Named Pipes Predictability Vulnerability

The Service Control Manager (SCM) is an administrative tool in Windows 2000 which handles the creation and modification of system services such as Server, Workstation, Alerter, and ClipBook. A server-side named pipe is created before each service is started and are named in a predictable sequence which can be obtained from:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent

Due to the predictability of subsequent named pipes, any local user logged on interactively to a Windows 2000 machine is able create a server-side named pipe and assume the security context of the system service the next time it is started. Arbitrary code could be attached to the named pipe, making it possible for the local user to craft an exploit that would allow them to gain Administrator account status.


 

Privacy Statement
Copyright 2010, SecurityFocus