AUSCERT External Security Bulletin Redistribution

              ESB-2003.0475 -- @stake, Inc. Security Advisory
              Named Pipe Filename Local Privilege Escalation
                               09 July 2003


        AusCERT Security Bulletin Summary

Product:                Windows 2000
Publisher:              @stake, Inc.
Operating System:       Windows 2000
Impact:                 Increased Privileges
Access Required:        Existing Account
CVE Names:              CAN-2003-0496

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                              @stake, Inc.

                           Security Advisory

Advisory Name: Named Pipe Filename Local Privilege Escalation
 Release Date: 07/08/2003
  Application: Microsoft SQL Server
     Platform: Windows NT/2000/XP
     Severity: Local privilege escalation
       Author: Andreas Junestam (andreas@atstake.com)
Vendor Status: Fix available in Windows 2000 SP4
CVE Candidate: CAN-2003-0496 Named Pipe Filename Local Privilege
    Reference: www.atstake.com/research/advisories/2003/a070803-1.txt


By specifying the name of a named pipe instead of a file, as an
argument to SQL Server's xp_fileexist extended stored procedure,
one can impersonate the user account Microsoft SQL Server is running
under. This is due to the behavior of the CreateFile system call and
Windows named pipe impersonation. This is not limited to Microsoft
SQL Server, but a system wide problem.

Detailed Description:

The API call CreateFile is used to open and/or create files, named
pipes, mail slots and much more. Today, there is no mechanism in
this API call to limit what kind of resource one want to open. This
is due to the fact that most resources are implemented as part of
the filesystem.

Most services in WIN32 are running under the local system account
and handling files in one way or another. If there exists a way
to specify which file a service should open, it is possible to
impersonate the account this service is running under. Additionally,
if UNC paths are used, there is no need to do a read operation on
the named pipe before it is possible to impersonate the client end
of the pipe.

This behaviour is easy to exploit in Microsoft SQL Server since
there are a large number of procedures where we can specify which
file to use. As an example, we will use xp_fileexist, an extended
stored proceudre that public can execute. By creating a named pipe
server with an arbitrary name and execute xp_fileexist with the
UNC name of the named pipe as an argument, one can impersonate the
user account SQL Server is running under.

Note that this is a system wide behaviour and not limited to
Microsoft SQL Server.

See the example section for an easy to follow example, which
describes the scenario.


Here follows a session which is cut-and-pasted from two
command shells. Mssqlpipe.exe is a program that creates a named
pipe, waits for a client to connect, and then impersonates
the client.  It then executes the program specified on the
command line as the impersonated user.

- - - From command shell #1:

C:\>mssqlpipe.exe cmd.exe
Creating pipe: \\.\Pipe\atstake
Pipe created, waiting for connectection
Connect to the database (with isql for example) and execute:
xp_fileexist '\\SERVERNAME\pipe\atsstake'
Then in command shell #2:

C:\>isql -U andreas
1> xp_fileexist '\\TEMP123\pipe\atstake'
2> go
   File Exists File is a Directory Parent Directory Exists
   ----------- ------------------- -----------------------
             1                   0                       1
Then, back in command shell #1:

Impersonate user successful, we are running as user: SYSTEM

Vendor Response

Vendor first contacted on 06/21/2002
Vendor responded that they were working on fix: 07/08/2002
Vendor responded that fix would be in SP4: 10/02/2002

Vendor has fix in Windows 2000 SP4 available at:


The fix introduced a new user right in Windows 2000,
"Impersonate a Client AfterAuthentication".  This permission
is only granted to Administrators and service accounts
by default.  More information is available in the Microsoft
Knowledge Base:


@stake Recommendation

If you are running Windows 2000 you should install SP4.

SQL Server 2000 can run as a less privileged account than
SYSTEM which helps mitigate against this problem.  Always
configure your servers to run as the least privileged
user account possible.


Blake Watts (bwatts@securityinternals.com) for his Named Pipes
whitepaper "Discovering and Exploiting Named Pipe Security Flaws
for Fun and Profit".

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0496 Named Pipe Filename Local Privilege Escalation

@stake Vulnerability Reporting Policy:

@stake Advisory Archive:

PGP Key:

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.

Version: PGP 8.0


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967