Consider that if a user-mode application can send messages to a privileged process (like a Windows service).
What prevents any user-mode application from doing that? And if your Windows service is running as "NT_AUTHORITY/SYSTEM" and even executes privileged commands, well you might find you've got a simple privilege escalation vuln.
Remember, secure your named pipes...especially when the named pipe server runs as SYSTEM.
- https://stackoverflow.com/a/59983266
- https://versprite.com/blog/security-research/vulnerable-name...
https://docs.microsoft.com/en-us/dotnet/api/system.servicepr...
You've definitely outlined the risk clearly of allowing a client to specify anything arbitrarily.
I once wrote a sudo implementation for Windows Vista / Windows 7 and first attempt used named pipes communicating to a windows service that did some token manipulation to execute things as the user (but with elevated token attached as well). There be (security) dragons.
I like using named pipes and they are a great IPC mechanism for communicating amongst processes of the same privilege level. I would not use them for message passing between processes of different privilege levels.
The server needs to call ImpersonateNamedPipeClient() on the incoming client connection to assume the client’s security token, that would lower the server’s privilege to the level of the client. That’s it!
A guest level client can connect to the server. The server’s privilege becomes guest, and cannot access any resources that guest has no permission to access.
[1] https://docs.microsoft.com/en-us/windows/win32/api/namedpipe...
Then the only thing the user-mode application can send are just flags (integers) that the service has already pre-determined what it will do in response.
Here's an article: https://www.codeproject.com/Articles/24434/How-to-Write-Wind...
And here's a succinct example: https://stackoverflow.com/a/5805700
Edit: would like to know why I'm being downvoted.
I've seen a lot of documentation (third party and Microsoft) that just start in on a "Visual Studio"-based solution while ignoring everything else, which kind of rubs me the wrong way.
- Create a architecture diagram out of .NET and native compiled code.
- Integration with SharePoint and Dynamix SDKs
- SQL Server and Azure SDKs
- Using the Fakes mocking framework for MSIL rewriting
- Debugging the GPU shaders
Just a couple of examples, I can take plenty more out of VS enterprise.
I really don't get how people can think JetBrains does better than platform owners.
They will ever play catch-up with platform capabilities and only offer a subset of the package.
NamedPipes are sweet for doing same-machine IPC on Windows, that is for sure, but the built-in API is full of footguns.
See https://stackoverflow.com/questions/31936100/namedpipeserver...
Edit: Never mind, see https://docs.microsoft.com/en-us/dotnet/standard/serializati...
Security can be achieved not at channel level but at message level: If cannot decrypt the message then it's not for you. At the expense of overhead you open the door for flexibility.
Ultimately it's a tool. What it matters is how you use it. Definitely better than using shared memory for IPC. Files are by default not secured either. Anyone can write into it.
Are there any apps (except for creating stuff) that are being developed in a way that “server” part is running locally? It seems to me that everything goes web now and if you have a desktop it’s “just” a client for something remote?
