Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24040

Named pipe permission issue

    XMLWordPrintable

    Details

      Description

      https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bui.pdf describes a named pipe privilege vulnerability, specifically for MySQL, where an unprivileged user, located on the same machine as the server, can act as man-in-the-middle between server and client.

      Unprivileged user creates pipe instance, using the same name as the server does, with CreateNamedPipe("\\\\.\\pipe\MySQL",...), and waits until an unsuspected client connects to this instance. Once client is connected, "man-in-the-middle" also connects as client to the real server process with CreateFile("\\\.\\pipe\MySQL", ....) and acts as a proxy (forwards and reads clear-text messages between the real server, and the real client).

      To avoid the vulnerability, ACL on named pipe should exclude FILE_CREATE_PIPE_INSTANCE for anyone but the creator.

        Attachments

          Activity

            People

            Assignee:
            wlad Vladislav Vaintroub
            Reporter:
            wlad Vladislav Vaintroub
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: