Jump to content
Sign in to follow this  

Windows Named Pipe Auditing - Question

Recommended Posts


I finally had the chance to come back into infosec again and spent some time preparing for vulnerability research/bug hunting. Having done some Linux /embedded and web-application stuff I am now compiling information on auditing Windows Applications.
As information comes from many sources some is either wrong or incomplete. Today I have a question about auditing Named Pipes on Windows.

Named pipe consist of a client and server part. They can be accessed locally or from remote machines, depending on configuration. They can be protected by ACLs. As it is basically file I/O we can't intercept the communications with Wireshark.

* Auditing: *
Step 1. Discovering pipes:
Fancy GUI: ProcessExplorer 
Command-line Cowboy: use Pipelist.exe.

Step 2. Permissions:
View ACL:
Fancy GUI: ProcessExplorer 
Command-line Cowboy: Pipesec100.exe

Edit ACL:
Command-line Cowboy: Pipesec100.exe

Step 3. Pipe Accessibility:
Determine if Pipe is Remote Accessible: look in IDA for PIPE_REJECT_REMOTE_CLIENTS flag

Step 4. Creating a Client or Server 
This can be used to interact or impersonate a server. Sample Code can be found for: C#, VB, C++, Ruby, Python 

* Exploitation: *
1. If weak/no DACL: Modify the DACL and see if it affects the process e.g. remove all rights -> Denial-of-Service.

2. If weak/no DACL is present see if we can connect to the pipe from local machine. If the server supports a max instance of 1 client -> Denial of Service

3. If weak/no DACL is present see if we can connect to the pipe from remote machine. As 2 or depending on the next steps, RCE.

4. Test if we can start before the real pipe and impersonate the server. Denial-of-Service, Token Stealing, Information Disclosure. Some mitigation exist.

5. Read from pipe -> Information Disclosure

7. Write to pipe -> Denial-of-Service/EoP/RCE (e.g. malformed data, argument or command injection)

Question: how can we see/capture pipe "traffic"?

Is there an easier/faster way than any the following options?
1. Intercept with API Hooking / MS Detours. Hook: ReadFile and WriteFile    
2. Reverse Engineer, e.g. with IDA Pro
3. Maybe the Fibratus framework but I haven't installed it yet.
4. Static Analysis: audit the source code, useless for blackbox 
5. Custom coded, however my client can connect but seems not to receive anything (byte nor string)


Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now
Sign in to follow this