Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5
-
None
Description
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bui.pdf describes a named pipe privilege vulnerability, specifically for MySQL, where an unprivileged user, located on the same machine as the server, can act as man-in-the-middle between server and client.
Unprivileged user creates pipe instance, using the same name as the server does, with CreateNamedPipe("\\\\.\\pipe\MySQL",...), and waits until an unsuspected client connects to this instance. Once client is connected, "man-in-the-middle" also connects as client to the real server process with CreateFile("\\\.\\pipe\MySQL", ....) and acts as a proxy (forwards and reads clear-text messages between the real server, and the real client).
To avoid the vulnerability, ACL on named pipe should exclude FILE_CREATE_PIPE_INSTANCE for anyone but the creator.
Attachments
Activity
MySQL appears to be not affected if named_pipe_full_access_group is changed from the default value to an existing Windows local group and the attacker is not in this group.
CVE-2020-28912