Windows security enables you to control access to named pipes. For more information about security, see Access-Control Model. You can specify a security descriptor for a named pipe when you call the CreateNamedPipe function. The security descriptor controls access to both client and server ends of the named pipe.
If you specify NULL , the named pipe gets a default security descriptor. The ACLs in the default security descriptor for a named pipe grant full control to the LocalSystem account, administrators, and the creator owner. They also grant read access to members of the Everyone group and the anonymous account. To retrieve a named pipe's security descriptor, call the GetSecurityInfo function.
An attacker who is allowed to influence these values for a created server can abuse these to potentially cause a system crash by choosing large buffers or to delay pipe operations by choosing a small buffer e.
The only gear you can turn when you want to secure your named pipe setup is setting a Security Descriptor for the named pipe server as the last parameter lpSecurityAttributes to the CreateNamedPipe call. The Windows docs define what the default Security Descriptor does for your named pipe server:.
The ACLs in the default security descriptor for a named pipe grant full control to the LocalSystem account, administrators, and the creator owner. They also grant read access to members of the Everyone group and the anonymous account. For remote connections, note once again - as described at the end of the Named Pipe Messaging chapter - that the network authentication protocol is negotiated between the client and server through the SMB protocol.
There is no way to programmatically enforce the use of the stronger Kerberos protocol you only could disable NTLM on the server host. Impersonation is the ability of a thread to execute in a security context different from the security context of the process that owns the thread. Impersonation typically applies in a Client-Server architecture where a client connects to the server and the server could if needed impersonate the client.
A typical scenario would be a server that wants the access some records say in database , but only the client is allowed to access its own records. The server could now reply back to the client, asking to fetch the records itself and send these over to the server, or the server could use an authorization protocol to prove the client allowed the server to access the record, or - and this is what Impersonation is - the client sends the server some identification information and allows the server to switch into the role of the client.
Somewhat like the client giving its driver license to the server along with the permission to use that license to identify towards other parties, such as a gatekeeper or more technically a database server. The identification information, such as the information specifying who the client is such as the SID are packed in a structure called a security context. This structure is baked deeply into the internals of the operating system and is a required piece of information for inter process communication.
To control that Microsoft created so called Impersonation Levels. For some context around Impersonation have a look at the Access Tokens and the following Impersonation section in my post about Windows Authorization.
The most important attack vector based on named pipes is Impersonation. There are two important aspects you need to check when attempting to impersonate a client. The second important aspect to check is the file name, aka. There is an important distinction between calling local named pipes or calling remote named pipes. Therefore a vulnerable call looks like this:. Now comes the important bit:.
If your user does not hold this privilege the Impersonation Level will be set to SecurityIdentification which allows you to identify, but not impersonate the user.
You can find an a full implementation in my sample code here. A quick run down of the implementation is shown below:. Moreover multiple named pipes with the same name can exist under this one roof.
So what happens if an application creates a named pipe that already exists? This design makes Named Pipes vulnerable for instance creation race condition vulnerabilities.
The server creates a named pipe for communication with the client application s. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No.
Any additional feedback? Submit and view feedback for This product This page. View all page feedback. In this article.
0コメント