Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: ImpersonateNamedPipeClient
From: Matt Conover (shokCAMEL.ETHEREAL.NET)
Date: Thu Aug 03 2000 - 17:14:20 CDT

> For example I wrote some code so when a remote computer connects to a
> certain named pipe on my system that it spawns a cmd.exe (basically like how
> most windows buffer overflow shellcode works) with the access rights of that
> remote user. So I find some idiot working at a company, send them the
> trojan, and then have a dos prompt to that remote users machine which I can
> then use to locally exploit their NT server to then become SYSTEM.

My understanding (I'll try to get it verified) was that you can only
impersonate an account on the machine (the account could be on the domain,
also). I.e., it would be similar to logging into the machine, which
requires privileges.

> There are security risks with named pipes beyond local named pipes. Clients
> can be vulnerable.

My comment that clients are not vulnerable is based on the assumption that
I stated above--if this is wrong, then my statement is wrong, but I'm told
that a valid account on the server side is required.