Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0475 -- @stake, Inc. Security Advisory
Named Pipe Filename Local Privilege Escalation
09 July 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Windows 2000
Publisher: @stake, Inc.
Operating System: Windows 2000
Impact: Increased Privileges
Access Required: Existing Account
CVE Names: CAN-2003-0496
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: Named Pipe Filename Local Privilege Escalation
Release Date: 07/08/2003
Application: Microsoft SQL Server
Platform: Windows NT/2000/XP
Severity: Local privilege escalation
Author: Andreas Junestam (andreas@atstake.com)
Vendor Status: Fix available in Windows 2000 SP4
CVE Candidate: CAN-2003-0496 Named Pipe Filename Local Privilege
Escalation
Reference: www.atstake.com/research/advisories/2003/a070803-1.txt
Overview:
By specifying the name of a named pipe instead of a file, as an
argument to SQL Server's xp_fileexist extended stored procedure,
one can impersonate the user account Microsoft SQL Server is running
under. This is due to the behavior of the CreateFile system call and
Windows named pipe impersonation. This is not limited to Microsoft
SQL Server, but a system wide problem.
Detailed Description:
The API call CreateFile is used to open and/or create files, named
pipes, mail slots and much more. Today, there is no mechanism in
this API call to limit what kind of resource one want to open. This
is due to the fact that most resources are implemented as part of
the filesystem.
Most services in WIN32 are running under the local system account
and handling files in one way or another. If there exists a way
to specify which file a service should open, it is possible to
impersonate the account this service is running under. Additionally,
if UNC paths are used, there is no need to do a read operation on
the named pipe before it is possible to impersonate the client end
of the pipe.
This behaviour is easy to exploit in Microsoft SQL Server since
there are a large number of procedures where we can specify which
file to use. As an example, we will use xp_fileexist, an extended
stored proceudre that public can execute. By creating a named pipe
server with an arbitrary name and execute xp_fileexist with the
UNC name of the named pipe as an argument, one can impersonate the
user account SQL Server is running under.
Note that this is a system wide behaviour and not limited to
Microsoft SQL Server.
See the example section for an easy to follow example, which
describes the scenario.
Example:
Here follows a session which is cut-and-pasted from two
command shells. Mssqlpipe.exe is a program that creates a named
pipe, waits for a client to connect, and then impersonates
the client. It then executes the program specified on the
command line as the impersonated user.
- - - From command shell #1:
C:\>mssqlpipe.exe cmd.exe
Creating pipe: \\.\Pipe\atstake
Pipe created, waiting for connectection
Connect to the database (with isql for example) and execute:
xp_fileexist '\\SERVERNAME\pipe\atsstake'
Then in command shell #2:
C:\>isql -U andreas
Password:
1> xp_fileexist '\\TEMP123\pipe\atstake'
2> go
File Exists File is a Directory Parent Directory Exists
----------- ------------------- -----------------------
1 0 1
Then, back in command shell #1:
Impersonate user successful, we are running as user: SYSTEM
Vendor Response
Vendor first contacted on 06/21/2002
Vendor responded that they were working on fix: 07/08/2002
Vendor responded that fix would be in SP4: 10/02/2002
Vendor has fix in Windows 2000 SP4 available at:
http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/
The fix introduced a new user right in Windows 2000,
"Impersonate a Client AfterAuthentication". This permission
is only granted to Administrators and service accounts
by default. More information is available in the Microsoft
Knowledge Base:
http://support.microsoft.com/default.aspx?scid=kb;[LN];821546
@stake Recommendation
If you are running Windows 2000 you should install SP4.
SQL Server 2000 can run as a less privileged account than
SYSTEM which helps mitigate against this problem. Always
configure your servers to run as the least privileged
user account possible.
Credits:
Blake Watts (bwatts@securityinternals.com) for his Named Pipes
whitepaper "Discovering and Exploiting Named Pipe Security Flaws
for Fun and Profit".
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2003-0496 Named Pipe Filename Local Privilege Escalation
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.
Copyright 2003 @stake, Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPwquuUe9kNIfAm4yEQLPpACcDtshMFUb1AxNKppOa0xF9zGl99UAoMiS
X1mqnuKGNLGP+fRGGStgYfzp
=EeIn
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPwtx5ih9+71yA2DNAQFIhgP9HvF64D5FGGHONX7ES1mIaZ7KqgWu7rlP
TJAJrLmYhQE036SFRqZ58OuCDEEAqKhNkP7jYJUtqTX89doGm465NZvgqaNwYA8P
midmv8Gz7X76xvcOnCbnJlM5D4A/rfJqT5K92Oxi8Oe4CiKGwFYMfXcAKOSKaDh/
X8zBdyWNmJ4=
=336R
-----END PGP SIGNATURE-----