Microsoft Windows 2000 Named Pipes Predictability Vulnerability
BID:1535
Info
Microsoft Windows 2000 Named Pipes Predictability Vulnerability
| Bugtraq ID: | 1535 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Aug 01 2000 12:00AM |
| Updated: | Aug 01 2000 12:00AM |
| Credit: | Discovered by the R&D department of Guardent <[email protected]> and publicized in a Microsoft Security Bulletin (MS00-053) on August 2, 2000. |
| Vulnerable: |
Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Advanced Server |
| Not Vulnerable: | |
Discussion
Microsoft Windows 2000 Named Pipes Predictability Vulnerability
The Service Control Manager (SCM) is an administrative tool in Windows 2000 which handles the creation and modification of system services such as Server, Workstation, Alerter, and ClipBook. A server-side named pipe is created before each service is started and are named in a predictable sequence which can be obtained from:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent
Due to the predictability of subsequent named pipes, any local user logged on interactively to a Windows 2000 machine is able create a server-side named pipe and assume the security context of the system service the next time it is started. Arbitrary code could be attached to the named pipe, making it possible for the local user to craft an exploit that would allow them to gain Administrator account status.
The Service Control Manager (SCM) is an administrative tool in Windows 2000 which handles the creation and modification of system services such as Server, Workstation, Alerter, and ClipBook. A server-side named pipe is created before each service is started and are named in a predictable sequence which can be obtained from:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent
Due to the predictability of subsequent named pipes, any local user logged on interactively to a Windows 2000 machine is able create a server-side named pipe and assume the security context of the system service the next time it is started. Arbitrary code could be attached to the named pipe, making it possible for the local user to craft an exploit that would allow them to gain Administrator account status.
Exploit / POC
Microsoft Windows 2000 Named Pipes Predictability Vulnerability
For additional details regarding the exploit for this vulnerability, please see the following webpage:
http://www.securiteam.com/windowsntfocus/Additional_details_on_the_Named_Pipe_Service_Control_Impersonation.html
Maceo <[email protected]> has released the following exploit:
For additional details regarding the exploit for this vulnerability, please see the following webpage:
http://www.securiteam.com/windowsntfocus/Additional_details_on_the_Named_Pipe_Service_Control_Impersonation.html
Maceo <[email protected]> has released the following exploit:
Solution / Fix
Microsoft Windows 2000 Named Pipes Predictability Vulnerability
Solution:
Microsoft has released the following patch which eliminates this vulnerability:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Server
Solution:
Microsoft has released the following patch which eliminates this vulnerability:
Microsoft Windows 2000 Professional
-
Microsoft Q269523
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23432
Microsoft Windows 2000 Advanced Server
-
Microsoft Q269523
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23432
Microsoft Windows 2000 Server
-
Microsoft Q269523
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23432
References
Microsoft Windows 2000 Named Pipes Predictability Vulnerability
References:
References: