-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always pass SECURITY_SQOS_PRESENT|SECURITY_IDENTIFICATION when opening a named pipe #42036
Comments
Where do we use named pipes? |
Nowhere, but it is possible to open a named pipe as a file.
…On May 16, 2017 1:29 PM, "Steven Fackler" ***@***.***> wrote:
Where do we use named pipes?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#42036 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGGWB3pg-HsW7L2lwyxGumdyCyDYzRWHks5r6d0VgaJpZM4Ncg1j>
.
|
@DemiMarie Could you be more clear? What exactly needs to change inside Rust? I assume we'd have to add some form of detection around file opening in windows..? |
Whenever libstd calls CreateFileW(), it needs to pass these flags to avoid
a local privilege escalation exploit.
…On Jun 22, 2017 7:47 PM, "Mark Simulacrum" ***@***.***> wrote:
@DemiMarie <https://github.com/demimarie> Could you be more clear? What
exactly needs to change inside Rust? I assume we'd have to add some form of
detection around file opening in windows..?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#42036 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGGWB7_FxvJuGupfVWCvnl2Sv06mK7FWks5sGv0XgaJpZM4Ncg1j>
.
|
… named pipe exploit Fixes rust-lang#42036 As noted in [this paper][1], the threat model for the exploit is a priveleged Rust process which accepts a file path from a malicious program. With this exploit, the malicious program can pass a named pipe to the priveleged process and gain its elevated priveleges. The fix is to change the default OpenOptions to contain the proper security flags. [The .NET FileStream][2] has this same behavior by default. We're using the `SecurityIdentification` security level which is more permissive, but still blocks the exploit. This is technically a breaking change. If someone were using a named pipe to impersonate a program *on purpose*, they would have to add `.security_qos_flags(0)` to their `OpenOptions` to keep working. [1]: http://www.blakewatts.com/namedpipepaper.html [2]: http://referencesource.microsoft.com/#mscorlib/system/io/filestream.cs,837
A simple explanation of the security problem: https://flylib.com/books/en/1.287.1.242/1/. What could be a problem with setting these flags always: the flag Now I've never seen a system with 'hierarchical storage' where While investigation this, I found another issue with Now I don't care much for working well with hierarchical storage. But we should not break it without having some sort of workaround available.
I don't know if I'll get to making a PR and doing the required testing, just writing down what I've found so far. |
Set secure flags when opening a named pipe on Windows Fixes rust-lang#42036, see also the previous attempt in rust-lang#44556. Whether this is correct depends on if it is somehow possible to create a symlink to a named pipe, outside the named pipe filesystem (NPFS). But as far as I can tell that should be impossible. Also fixes that `security_qos_flags(SECURITY_ANONYMOUS)` does not set the `SECURITY_SQOS_PRESENT` flag, and the incorrect documentation about the default value of `security_qos_flags`.
Set secure flags when opening a named pipe on Windows Fixes rust-lang#42036, see also the previous attempt in rust-lang#44556. Whether this is correct depends on if it is somehow possible to create a symlink to a named pipe, outside the named pipe filesystem (NPFS). But as far as I can tell that should be impossible. Also fixes that `security_qos_flags(SECURITY_ANONYMOUS)` does not set the `SECURITY_SQOS_PRESENT` flag, and the incorrect documentation about the default value of `security_qos_flags`.
Set secure flags when opening a named pipe on Windows Fixes rust-lang#42036, see also the previous attempt in rust-lang#44556. Whether this is correct depends on if it is somehow possible to create a symlink to a named pipe, outside the named pipe filesystem (NPFS). But as far as I can tell that should be impossible. Also fixes that `security_qos_flags(SECURITY_ANONYMOUS)` does not set the `SECURITY_SQOS_PRESENT` flag, and the incorrect documentation about the default value of `security_qos_flags`.
Set secure flags when opening a named pipe on Windows Fixes #42036, see also the previous attempt in #44556. Whether this is correct depends on if it is somehow possible to create a symlink to a named pipe, outside the named pipe filesystem (NPFS). But as far as I can tell that should be impossible. Also fixes that `security_qos_flags(SECURITY_ANONYMOUS)` does not set the `SECURITY_SQOS_PRESENT` flag, and the incorrect documentation about the default value of `security_qos_flags`.
By default, opening a named pipe on Windows allows the server to impersonate the client. This is a security vulnerability. Pass
SECURITY_SQOS_PRESENT|SECURITY_IDENTIFICATION
to prevent this.Since it fixes a security hole, I don’t think this needs an RFC.
The text was updated successfully, but these errors were encountered: