Come posso proteggere le pipe denominate in windows?

Question

Come posso proteggere le pipe denominate in windows?

#1 da (2 voti)

5

Ho qualche malinteso su come proteggere la comunicazione dei named pipe in windows

Ad esempio, ho un servizio Windows che dialoga con altri processi tramite pipe, come posso assicurarmi che sto parlando con il processo giusto? Ci sono modi per autenticare le connessioni? So che Chrome ha implementato alcune misure di sicurezza nel codice ma ho avuto problemi a seguire l'implementazione.

Ho letto anche degli attacchi di impersonificazione dei tubi che possono essere usati contro le pipe e inoltre ho avuto qualche problema nel capire come funzionano questi attacchi o come bloccarli.

windows authentication appsec

posta FigureItOut 15.05.2016 - 16:29

fonte

1 risposta

Leggi altre domande sui tag windows authentication appsec

Come funziona "protezione password / input tastiera"? I motori di ricerca verificano i certificati HTTPS e, in caso affermativo, contro quali CA?

score 2 · Answer 1

Da Gray Hat Hacking The Ethical Hacker's Handbook, 4th Edition:

Enumerating Named Pipes

Named pipes are similar to shared sections in that developers used to think, incorrectly, that named pipes accept only trusted, well-formed data from users or programs running at the same privilege level as the program that has created the named pipe. There are (at least) three elevation-of-privilege threats with named pipes. First, weakly ACL’d named pipes can be written to by low-privileged attackers, potentially causing parsing or logic flaws in a program running at a higher privilege level. Second, if attackers can trick higher-privileged users or processes to connect to their named pipe, the attackers may be able to impersonate the caller. This impersonation functionality is built into the named pipe infrastructure. Finally, attackers might also find information disclosed from the pipe that they wouldn’t otherwise be able to access. AccessChk does not appear to support named pipes natively, but Mark Russinovich of Sysinternals did create a tool specifically to enumerate named pipes. Here’s the output from PipeList.exe:

PipeList v1.1
by Mark Russinovich
http://www.sysinternals.com
Pipe Name                      Instances      Max Instances
---------                      ---------      -------------
TerminalServer\AutoReconnect        1             1
InitShutdown                        2            -1
lsass                               3            -1
protected_storage                   2            -1
SfApi                               2            -1
ntsvcs                              6            -1
scerpc                              2            -1
net\NtControlPipe1                  1             1
net\NtControlPipe2                  1             1
net\NtControlPipe3                  1             1

The Process Explorer GUI will display the security descriptor for named pipes. The “squatting” or “luring” attack (the second elevation-of-privilege threat previously mentioned) requires an attacker having the SeImpersonatePrivilege to influence the behavior of a process running at a higher privilege level. One such example discovered by Cesar Cerrudo involved an attacker being able to set the file path in the registry for a service’s log file path to an arbitrary value. The attack involved setting the log file path to \??\Pipe\AttackerPipe, creating that named pipe, causing an event to be logged, and impersonating the LocalSystem caller connecting to \??\Pipe\AttackerPipe.