Service Control Manager Named Pipe Impersonation Vulnerability

It may be possible for a non-privileged user to elevate their existing security context to that of a service that was started by Service Control Manager (SCM). A malicious user could use a named pipe connection to instruct a Windows 2000-based computer to start a pre-defined process that has a security permission higher than the actual security permission that is assigned to the user.

Issue

The Service Control Manager (services.exe) is an administrative tool provided in Windows 2000 that allows system services (Server, Workstation, Alerter, ClipBook, etc.) to be created or modified. The SCM creates a named pipe for each service as it starts, however, should a malicious program predict and create the named pipe for a specific service before the service starts, the program could impersonate the privileges of the service. This could allow the malicious program to run in the context of the given service, with either specific user or LocalSystem privileges.

The primary risk from this vulnerability is that a malicious user could exploit this vulnerability to gain additional privileges on the local machine. A malicious user would require the ability to log onto the target machine interactively and run arbitrary programs in order to exploit this vulnerability, and as a result, workstations and terminal servers would be at greatest risk.

Affected Products

• Windows 2000

Download

Patch: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23432

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: August 2, 2000

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<