DOCUMENT:Q240073 20-MAY-2002 [winnt] TITLE :Privilege Violation When Creating a Pipe Instance in NPFS PRODUCT :Microsoft Windows NT PROD/VER:winnt:4.0 OPER/SYS: KEYWORDS:kbWinNT4sp6fix ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0, Terminal Server Edition - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server, Enterprise Edition version 4.0 ------------------------------------------------------------------------------- SYMPTOMS ======== When a client uses the recommended FILE_GENERIC_WRITE access type to open a named pipe to a server using the Microsoft Windows NT 4.0 Named Pipes File System (NPFS), it is possible for the client, regardless of permissions, to create an instance of a server pipe and wait for a privileged user to connect in order to impersonate them on that instance. This privilege violation poses a C2 security risk. CAUSE ===== This behavior also occurs because NPFS does not verify that the user has the needed permissions in the Access Control List (ACL) and access type in the Discretionary Access Control List (DACL). Another factor contributing to this situation is that named pipes which were not created with an explicit security descriptor receive the NULL security descriptor and allows unprivileged processes to obtain handles to named pipes on a server. RESOLUTION ========== Windows NT Server or Workstation 4.0 ------------------------------------ To resolve this problem, obtain the latest service pack for Windows NT 4.0 or the individual software update. For information on obtaining the latest service pack, please go to: - http://www.microsoft.com/Windows/ServicePacks/ -or- - Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack For information on obtaining the individual software update, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS Windows NT Server 4.0, Terminal Server Edition ---------------------------------------------- To resolve this problem, obtain the latest service pack for Windows NT Server 4.0, Terminal Server Edition. For additional information, please see the following article in the Microsoft Knowledge Base: Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack STATUS ====== Microsoft has confirmed this to be a problem in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Windows NT Server 4.0 Service Pack 6 and Windows NT Server 4.0, Terminal Server Edition Service Pack 6. MORE INFORMATION ================ Without the application of Windows NT 4.0 Service Pack 6, a server running Windows NT 4.0 cannot stop clients from creating an instance of a named pipe because the instance bits from FILE_CREATE_PIPE_INSTANCE overlap with FILE_APPEND_DATA in the GENERIC_WRITE access type. So long as a client has FILE_GENERIC_WRITE access to a pipe, they can create an instance and acquire unauthorized access. NPFS can then check for permissions and access types, and a default security descriptor is added to the I/O Manager that does not allow unprivileged access. An application, however, can protect itself against being instanced in this situation by denying all access to the pipe (the Dynamic Host Control Protocol (DHCP) client is an example of an application that denies all access). Within the Security Descriptor, (a special data structure containing security information for an object), the DACL identifies users and group Security Identifiers (SIDs) that are to be granted or denied access for an object, and the System Access Control List (SACL) controls the auditing message the operating system generates. Both the DACL and the SACL contain ACE elements, which specify the users and groups with their individual permissions. The SID, ACL, DACL, and SACL are components that play a role in determining how well a computer complies with the U.S. Department of Defense C2security specification. For more information on the requirements and characterisitcs of C2 security, please visit the following Microsoft Web site: http://www.microsoft.com/NTServer/security/exec/overview/C2Beyond.asp Additional query words: ====================================================================== Keywords : kbWinNT4sp6fix Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTSEntSearch kbWinNTSEnt400 kbWinNTS400search kbWinNTS400 kbNTTermServ400 kbNTTermServSearch Version : winnt:4.0 Issue type : kbbug Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.