[MDEV-24040] Named pipe permission issue Created: 2020-10-27  Updated: 2020-11-17  Resolved: 2020-10-28

Status: Closed
Project: MariaDB Server
Component/s: Platform Windows
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.1.48, 10.2.35, 10.3.26, 10.4.16, 10.5.7

Type: Bug Priority: Blocker
Reporter: Vladislav Vaintroub Assignee: Vladislav Vaintroub
Resolution: Fixed Votes: 0
Labels: None


 Description   

https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bui.pdf describes a named pipe privilege vulnerability, specifically for MySQL, where an unprivileged user, located on the same machine as the server, can act as man-in-the-middle between server and client.

Unprivileged user creates pipe instance, using the same name as the server does, with CreateNamedPipe("\\\\.\\pipe\MySQL",...), and waits until an unsuspected client connects to this instance. Once client is connected, "man-in-the-middle" also connects as client to the real server process with CreateFile("\\\.\\pipe\MySQL", ....) and acts as a proxy (forwards and reads clear-text messages between the real server, and the real client).

To avoid the vulnerability, ACL on named pipe should exclude FILE_CREATE_PIPE_INSTANCE for anyone but the creator.

 Comments   
Comment by Sergei Golubchik [ 2020-11-17 ]

CVE-2020-28912

Comment by Sergei Golubchik [ 2020-11-17 ]

MySQL appears to be not affected if named_pipe_full_access_group is changed from the default value to an existing Windows local group and the attacker is not in this group.

Generated at Thu Feb 08 09:26:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.