Hello, The ImpersonateNamedPipeClient() risks have been fully documented by Blake Watts back in 2002. http://www.blakewatts.com/namedpipepaper.html
The problem is basically that OpenFile() will accept either : - A file path ("C:\toto.txt") - A share path ("\\hacker\toto") - A named pipe path ("\\hacker\pipe\toto") (Did you ever notice that you cannot create a share named "pipe" on a Windows system ? ;) So if you can open a file with a privileged application (such as a SYSTEM service), you can gain the privileges of the application. Real life example: take your antivirus, change the log file name from "C:\Program Files\Antivirus\log.txt" to "\\mycomputer\pipe\toto" while running a listener on the "toto" pipe. When the antivirus opens the log file, you become SYSTEM. Regards, - Nicolas RUFF Security Researcher @ EADS-CRC _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/