exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

A0108022000.txt

A0108022000.txt
Posted Aug 3, 2000
Authored by Mike Schiffman | Site guardent.com

Guardent Security Advisory - Microsoft Windows 2000 Service Control Manager Named Pipe Impersonation vulnerability. A problem in the way Windows 2000 handles named pipes allows any non-privileged user to elevate his or her current security context to that of an arbitrary service (started by the service control manager). This bug prompted Microsoft to issue ms00-053.

tags | arbitrary
systems | windows
SHA-256 | 4ac72630f7e2cc4adfcedb4515cf0e2c16bfb767898a36445cdffb854597463d

A0108022000.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

G U A R D E N T GUARDENT
SECURITY ADVISORY
secure digital infrastructure
A0108022000
- ----------------------------------------------------------------------
- ---------
Microsoft Windows 2000 Service Control Manager Named Pipe
Impersonation
Vulnerability

August 02, 2000

https://www.guardent.com/A0108022000.html
- ----------------------------------------------------------------------
- ---------

- -----------------
EXECUTIVE SUMMARY
- -----------------

A vulnerability in the way Windows 2000 handles named pipes allows
any
non-privileged user to elevate his or her current security context to
that of
an arbitrary service (started by the service control manager). By
exploiting
this bug, a non-privileged local user can gain privileged access to
the system.


- ----------------
AFFECTED SYSTEMS
- ----------------

Guardent discovered and successfully exploited this vulnerability in
Microsoft Windows 2000. Guardent's research and development team
notified
Microsoft when the vulnerability was initially found and worked with
them to
fix the problem. You can read Microsoft's advisory here:

https://www.microsoft.com/technet/security/bulletin/ms00-053.asp.


- -------------------
DETAILED DISCUSSION
- -------------------

The vulnerability resides in the communication algorithm used to
implement
a client/server architecture between the service control manager
(SCM) and the
services started by the SCM. By exploiting this vulnerability, a
malicious or
unauthorized process has the opportunity to effectively become the
server-end
of a named pipe. A service, started by the SCM, will connect to the
named
pipe, and after becoming the server-end of the pipe, the process has
the
ability to impersonate the security context of the client connected
to the
pipe, which in this case is an NT Service.

The first step involved in exploiting the vulnerability is to
determine what
the name of the next NT SCM control pipe will be. This name can be
gleaned
from the registry:

HKLM\System\CurrentControlSet\Control\ServiceCurrent.

Step two: increment the value and append it to the string:

"\\.\pipe\net\NtControlPipe".

Step three: create a named pipe using this name and wait for pipe
clients.

Step four: after the pipe has been created, instruct the SCM to start
an
arbitrary service. All services have a security descriptor
associated with
them that dictates to the SCM which users can perform which actions
to the
service in question. Included with the release of Windows 2000 are
numerous services with a security descriptor that allows interactive
accounts to start them, and which also run as LocalSystem. One
example is
"ClipBook".

At this point, the service that was recently instructed to start has
connected
to the malicious pipe (rather than the SCM pipe as would normally
do).

Finally, the basic requirement for impersonation is to initiate a
ReadFile
call on the pipe.

The malicious process now has the ability to impersonate the security
context
of the client by using the call ImpersonateNamedPipeClient. This
effectively
gives the malicious thread an impersonation token of the service that
has
connected to the pipe.

The malicious process now has the opportunity to perform privileged
operations
under the security context of the service that has connected to the
malicious
named pipe. The process can now inject a remote thread, read process
memory,
or attempt to perform privilege elevation techniques to obtain
administrator
privileges.


- ------
REMEDY
- ------

Guardent notified Microsoft of this issue immediately after
discovering and
verifying the problem. As a result, Microsoft was able to locate the
source
of the vulnerability and create a hotfix to alleviate the problem.
The hotfix
can be downloaded from:

https://www.microsoft.com/Downloads/Release.asp?ReleaseID=23432.


- ----------------------
ADDITIONAL INFORMATION
- ----------------------

To contact the Guardent R&D team, please send email to:

<guardentresearch@guardent.com>

ALL CONTENTS OF THIS ADVISORY ARE COPYRIGHT 2000, GUARDENT, INC.


- -------------------
ABOUT GUARDENT, INC
- -------------------

Guardent is a next-generation digital security services firm offering
strategic
solutions for technology-enabled enterprises. As a trusted security
advisor,
Guardent partners with clients to meet their requirements for the
continuous
innovation and development of their IT infrastructures, while
mitigating the
risks inherent in today's complex networked environments.

Headquartered in the heart of Boston's technology corridor, Guardent
has
operations in Washington, D.C., Minneapolis, San Francisco, Seattle,
Toronto,
and London.

Obtain more information on Guardent by calling 888.413.4344 or by
visiting
us on the web at https://www.guardent.com.

Press contact: Dan McCall
Executive Vice President, Guardent, Inc.
dan.mccall@guardent.com
617.513.6623

Technical contact: Mike Schiffman
Director, Research and Development, Guardent, Inc.
mike.schiffman@guardent.com
888.413.4344

EOF

Mike D. Schiffman
Director of Research and Development
Guardent, Inc.
https://www.guardent.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBOYhJYAHhCsRVdxmnEQIG2wCg7/cFRgvcg9XzVw6e9/JRau4mqgcAoIu1
bQVxlfZFM4GW4QQbo7nnGN9z
=4cfL
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close