Da Gray Hat Hacking The Ethical Hacker's Handbook, 4th Edition:
Enumerating Named Pipes
Named pipes are similar to shared sections in
that developers used to think, incorrectly, that named pipes accept
only trusted, well-formed data from users or programs running at the
same privilege level as the program that has created the named pipe.
There are (at least) three elevation-of-privilege threats with named
pipes. First, weakly ACL’d named pipes can be written to by
low-privileged attackers, potentially causing parsing or logic flaws
in a program running at a higher privilege level. Second, if attackers
can trick higher-privileged users or processes to connect to their
named pipe, the attackers may be able to impersonate the caller. This
impersonation functionality is built into the named pipe
infrastructure. Finally, attackers might also find information
disclosed from the pipe that they wouldn’t otherwise be able to
access. AccessChk does not appear to support named pipes natively, but
Mark Russinovich of Sysinternals did create a tool specifically to
enumerate named pipes. Here’s the output from PipeList.exe:
PipeList v1.1
by Mark Russinovich
http://www.sysinternals.com
Pipe Name Instances Max Instances
--------- --------- -------------
TerminalServer\AutoReconnect 1 1
InitShutdown 2 -1
lsass 3 -1
protected_storage 2 -1
SfApi 2 -1
ntsvcs 6 -1
scerpc 2 -1
net\NtControlPipe1 1 1
net\NtControlPipe2 1 1
net\NtControlPipe3 1 1
The Process Explorer GUI will display the security descriptor for
named pipes. The “squatting” or “luring” attack (the second
elevation-of-privilege threat previously mentioned) requires an
attacker having the SeImpersonatePrivilege to influence the behavior
of a process running at a higher privilege level. One such example
discovered by Cesar Cerrudo involved an attacker being able to set the
file path in the registry for a service’s log file path to an
arbitrary value. The attack involved setting the log file path to
\??\Pipe\AttackerPipe, creating that named pipe, causing an event to
be logged, and impersonating the LocalSystem caller connecting to
\??\Pipe\AttackerPipe.