Privilege Violation When Creating a Pipe Instance in NPFS

ID: Q240073

The information in this article applies to:

Microsoft Windows NT Server version 4.0
Microsoft Windows NT Workstation version 4.0
Microsoft Windows NT Server, Enterprise Edition version 4.0

SYMPTOMS

When a client uses the recommended FILE_GENERIC_WRITE access type to open a named pipe to a server using the Microsoft Windows NT 4.0 Named Pipes File System (NPFS), it is possible for the client, regardless of permissions, to create an instance of a server pipe and wait for a privileged user to connect in order to impersonate them on that instance. This privilege violation poses a C2 security risk.

CAUSE

This behavior also occurs because NPFS does not verify that the user has the needed permissions in the Access Control List (ACL) and access type in the Discretionary Access Control List (DACL). Another factor contributing to this situation is that named pipes which were not created with an explicit security descriptor receive the NULL security descriptor and allows unprivileged processes to obtain handles to named pipes on a server.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows NT 4.0. For additional information, please see the following article in the Microsoft Knowledge Base:

Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack

STATUS

Microsoft has confirmed this to be a problem in Windows NT 4.0. This problem was first corrected in Windows NT 4.0 Service Pack 6.

MORE INFORMATION

Without the application of Windows NT 4.0 Service Pack 6, a server running Windows NT 4.0 cannot stop clients from creating an instance of a named pipe because the instance bits from FILE_CREATE_PIPE_INSTANCE overlap with FILE_APPEND_DATA in the GENERIC_WRITE access type. So long as a client has FILE_GENERIC_WRITE access to a pipe, they can create an instance and acquire unauthorized access. NPFS can then check for permissions and access types, and a default security descriptor is added to the I/O Manager that does not allow unprivileged access.

An application, however, can protect itself against being instanced in this situation by denying all access to the pipe (the Dynamic Host Control Protocol (DHCP) client is an example of an application that denies all access).

Within the Security Descriptor, (a special data structure containing security information for an object), the DACL identifies users and group Security Identifiers (SIDs) that are to be granted or denied access for an object, and the System Access Control List (SACL) controls the auditing message the operating system generates. Both the DACL and the SACL contain ACE elements, which specify the users and groups with their individual permissions. The SID, ACL, DACL, and SACL are components that play a role in determining how well a computer complies with the U.S. Department of Defense C2security specification.

For more information on the requirements and characterisitcs of C2 security, please visit the following Microsoft Web site:

http://www.microsoft.com/NTServer/security/exec/overview/C2Beyond.asp

Additional query words:

Keywords : ntsecurity ntsp kbbug4.00 kbfix4.00 NT4SP6Fix
Version : winnt:4.0
Platform : winnt
Issue type : kbbug