[MDEV-24040] Named pipe permission issue - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.1.48, 10.2.35, 10.3.26, 10.4.16, 10.5.7
Component/s: Platform Windows
Labels:
None

Description

https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bui.pdf describes a named pipe privilege vulnerability, specifically for MySQL, where an unprivileged user, located on the same machine as the server, can act as man-in-the-middle between server and client.

Unprivileged user creates pipe instance, using the same name as the server does, with CreateNamedPipe("\\\\.\\pipe\MySQL",...), and waits until an unsuspected client connects to this instance. Once client is connected, "man-in-the-middle" also connects as client to the real server process with CreateFile("\\\.\\pipe\MySQL", ....) and acts as a proxy (forwards and reads clear-text messages between the real server, and the real client).

To avoid the vulnerability, ACL on named pipe should exclude FILE_CREATE_PIPE_INSTANCE for anyone but the creator.

Attachments

Activity

People

Assignee:: Vladislav Vaintroub

Reporter:: Vladislav Vaintroub

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2020-10-27 15:11

Updated:: 2020-11-17 23:29

Resolved:: 2020-10-28 12:54

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.