Details

    Description

      https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bui.pdf describes a named pipe privilege vulnerability, specifically for MySQL, where an unprivileged user, located on the same machine as the server, can act as man-in-the-middle between server and client.

      Unprivileged user creates pipe instance, using the same name as the server does, with CreateNamedPipe("\\\\.\\pipe\MySQL",...), and waits until an unsuspected client connects to this instance. Once client is connected, "man-in-the-middle" also connects as client to the real server process with CreateFile("\\\.\\pipe\MySQL", ....) and acts as a proxy (forwards and reads clear-text messages between the real server, and the real client).

      To avoid the vulnerability, ACL on named pipe should exclude FILE_CREATE_PIPE_INSTANCE for anyone but the creator.

      Attachments

        Activity

          CVE-2020-28912

          serg Sergei Golubchik added a comment - CVE-2020-28912

          MySQL appears to be not affected if named_pipe_full_access_group is changed from the default value to an existing Windows local group and the attacker is not in this group.

          serg Sergei Golubchik added a comment - MySQL appears to be not affected if named_pipe_full_access_group is changed from the default value to an existing Windows local group and the attacker is not in this group.

          People

            wlad Vladislav Vaintroub
            wlad Vladislav Vaintroub
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.