Validate the service pipe to avoid connecting to a bogus pipe #691
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If an attacker with SeImeprsonatePrivilege manages to create a namedpipe server with a name matching that used by the "Interactive Service", the GUI connecting to it could allow the attacker to impersonate the GUI user. Fix by validating the service pipe by comparing the pid of the pipe server with that of the "Interactive Service". Note: GetNamedPipeServerProcessId() returns the pid of the process that created the first instance of the pipe. So, this patch only guards against a rogue pipe instance created before the service has started. This has to work in combination with a patch for the service that disallows creation of additional pipe instances when the service is running. CVE: CVE-2024-4877 Reported by: Zeze with TeamT5 <[email protected]> Acked-by: Lev Stipakov <[email protected]> Signed-off-by: Selva Nair <[email protected]>
selvanair
force-pushed
the
validate-pipe-v3
branch
from
64317a4
to
5cce04f
Compare
|
changes since last review:
|
|
Looks good to me, and matches the patch proposed and ACKed by @lstipakov on the security@ list. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If an attacker with SeImeprsonatePrivilege manages to create a namedpipe server with a name matching that used by the "Interactive Service", the GUI connecting to it could allow the attacker to impersonate the GUI user.
Fix by validating the service pipe by comparing the pid of the pipe server with that of the "Interactive Service".
Note: GetNamedPipeServerProcessId() returns the pid of the process that created the first instance of the pipe. So, this patch only guards against a rogue pipe instance created before the service has started. This has to work in combination with a patch for the service that disallows creation of additional pipe instances when the service is running.
CVE: CVE-2024-4877
Reported by: Zeze with TeamT5 [email protected]
Acked-by: Lev Stipakov [email protected]