 Good morning Las Vegas. It's not really morning, but I always wanted to say this. My name is Gil Cohen and I will be your host at this almost last lecture. I want to thank you all for attending this lecture. It's not trivial that all of you stayed. I know that many went home or just staying out at the pool. So a big shout out to you for coming. And today I'm going to talk about remote vulnerabilities in named pipes. So let's begin. First I'll start off with some introduction of myself. I'm going to tell you about my past or the thing that I can't tell you at least. Then we're going to talk about some key terms of Windows named pipes in general and interest process communication. Then I'm going to show you how to connect to named pipes, named pipes access control list and in the world, enumerating and sniffing named pipes, fuzzy named pipes exploitation. Then we'll move on to the audience favorite part which is live demos and then I'll show you some mitigations and the conclusion of my talk. So let's start. My name is Gil. I'm 34 years old and I'm a CEO of Comsec Global. I'm going to tell you a little bit about my company at the end of this lecture. This is the biggest company in Israel and most veteran one 30 years, 150 consultants. And I've been a hacker for about 13 years now. I started in the Israeli military. I was a penetration tester of all kinds application and infrastructure and I even worked with some Israeli security agencies. I cannot tell you which because then I have to kill you and I don't want to kill you at the beginning of my presentation and you are more than I. So I'll just spare the details. So I've been hacking to a lot of stuff including Windows application and during one of my penetration tests and my hacks I came across this vulnerability technique that I'm going to show you that was completely unknown or forgotten by penetration test and this was the motivation for my talk. But before talking about the vulnerability itself let's start with some key terms just in case you are not familiar with it. So inter-process communication this is an operating system mechanism that allows processes and application to manage shared data. You can either use for example internal sockets which probably most of you know and you have different kinds of inter-process communication as well. Each and every participant in this communication is considered either a client or a server and it can be both and you can have multiple clients and multiple servers and to end communication. And of course both clients and servers can be defined together. So Windows namepipes is one of the methods to perform inter-process communication in Windows. It can either be half one way or two way or four duplex and it utilizes a unique file system that is called NPFS, name pipe file system. It can be accessed by any process in your local operating system subject to security checks which is obviously ACLs. So all instances of the same name pipe a connection to a name pipe is called an instance have the same name. If you have a name pipe called GIL then everyone who talks to this name pipe will create an instance with the same name. So there are many many configurations and variants of name pipes half the half duplex or full duplex byte oriented or packet oriented local or network and this is what people miss. So inter-process communication unlike its name is not only internal it's not only internal interface in your operating system it can be it can be used remotely. Name pipe communication is not encrypted so if you have any name pipe that is connected remotely it would use either SMB port 445 or RPC which is port 135 and it is totally unencrypted so you can obviously just sniff it and replay it and in some cases even perform a man-in-the-middle attack. RPC some of you most of you must probably know it but i'm going to tell it anyway this is a protocol that allows one program to invoke services from program located in another computer you just call or another service another process you just call it from one computer to the other it uses port 135 and DC RPC is just a variant or subtype of RPC which allows the programmer to think that the process that he's calling is actually local when in fact it is a remote one so it just makes the programmer's life a little bit more convenient. SMB or server message block this is a famous protocol it can be used for file sharing and printers serial port etc it's mostly used for file sharing and probably most of you know it through links like this URLs that looks like this you can see 192.168.11 slash c$ this is an SMB connection or slash slash file server this is the famous SMB protocol it uses port number 445 so if you have any of these ports open you can connect to named pipes as well but there are actually two kinds of named pipes not only the regular named pipes you also have unnamed pipes or anonymous pipes not the famous anonymous that you see on the right but a named pipe with a random name this named pipe is used only between a parent process and each child process and it cannot be used for communication over the network and this is why I haven't focused it during my research because I wanted to show to see which named pipes can be connected remotely so how can you connect to a named pipe all pipes are placed in a root directory of NPFS which is slash slash slash the IP address of the computer can be dot for example if it's the local computer slash pipe slash pipe name this is how you connect to a pipe but you cannot just open your windows run command and just connect to it you need a special connection you can you either need to do it using programmer's code or using dedicated tool that I'm going to show you in the next slides so here's a URL for example for connecting to a named pipe you can see slash dot slash pipe slash foo this is a connection to a local pipe and if you want to connect to the same pipe remotely and the ACL allows it you just add the IP address instead of the dot character so the best tool in order to connect to named pipes is io ninja this is a commercial tool it used to be free for a non-commercial usage but they just changed their license agreement so now it is paid only and you can have a non-registered copy of it and this is like the Swiss army knife of communication in general and named pipes specifically you don't necessarily need to use it for regular TCP IP communication because you have net cut and end map and many other great tools but this is the only good tool for named pipes communication and this this is the tool I was using during my research so how does the communication looks like when you open wireshark because I told you that named pipes can be remotely accessed so this is how it looks like you can see here a wireshark window and you can see that the name pipe is using SMB communication and here at the bottom you can see that this is total clear text so whatever is being transferred to a remote named pipe can be sniffed but there are some limitations if you are a programmer and you start your own name pipe you you listen to a name pipe you can protect it so how can you do it using ACLs named pipes are implemented by file system drive in Windows and this started from Windows 18 in fact and they follow the ACLs or the ACLs discriminatory access controllers permissions that are but the default value is that the permission is set to anyone or anonymous login so if you create your own name pipe and you know you don't set the ACLs specifically anyone can connect to it so many named pipes allows either anonymous access or only domain user access but obviously it's still a lot of users that can exploit vulnerabilities in it you can modify ACLs to make only specific users access named pipe but this is not the default behavior and unfortunately I witnessed a lot of named pipes that just didn't do it and I'm going to show you some examples so here is a name pipe for example it this is a windows built-in named pipe it is called init shutdown and you can see that the permissions for this name pipe is everyone anonymous and administrators which actually has no effect because everyone can access it so anyone can access init shutdown and name pipe and this is a built-in windows operating system named pipe and named pipe unlike any other interface you know either regular SMB files or sockets have an additional feature which is which is called maximum instances a connection to a named pipe is called an instance a name pipe instance and on the left you can see the different named pipes and their current number of instances and on the right you can see that there there is a maximum volume for some of them if the value is minus one there then there is no limitation but if this is not minus one then there can be a number a maximum number of connections or instances to these named pipes so you can see here several named pipes with the value one or the value seven so it means that you cannot just connect to it without any limitation so let's talk about named pipes in the wild most of you probably heard about the configure war or configure virus that was detected in November 2008 it used flaws in windows operating system and it used dictionary attacks on administrator passwords to propagate while forming a botnet and it used advanced malware techniques similar to the recently discovered not petia and wanna cry run some else and and malware's so it infected a lot of computers millions of computers in 190 countries and it had several variations this is how it looks like very nice one variation which is that name variation c creates a named pipe over which it pushes URLs for downloadable downloads or other infected computers in your line so if you have one computer that is infected and it gets the command from the command control center it just propagates this command through named pipes in order to make sure that the rest of the infected computer gets the same command as well and this is not only used by configure but by others as well such as mocker zedex search shells and even the famous now famous petia so how can you enumerate and scan for named pipes if you want to have a look at your own named pipes in your own windows computer you can just use the c internals pipe list this is the best tool for enumerating named pipes and you can just run it and immediately see what we just witnessed in the previous slide all of the pipe names the current number of instances and the maximum number of instances so this is what you should use if you want to see what named pipes are listening in your own computer there are multiple tools of checking the access control lists for named pipes this is a deprecated tool it is called beyond security pipe security editor but unfortunately it is un-maintained and deprecated because it only works in windows xp or older but you can see that this tool used to allow you to edit named pipes permissions in real time just like as you do with files so unfortunately there are no similar tools for newer versions of windows and this is a deprecated tool but for current windows versions you can use the c-sinternals pipe ACL it comes with the same package it's pipelist and once you activate it you see the output that we saw earlier which tells you which groups have permissions for the current named pipe that you're checking in this example i was checking the another windows operating system named pipe which is called lsa rpc and yet again anonymous access to everyone so how can you remotely enumerate named pipes there aren't many tools for doing it but there are several scripts in metasploit not very common scripts and not well known but you can use it nonetheless this is called pipe editor and you can use it in order to remotely scan for named pipes if you want to scan it using smb you use the original pipe editor script if you want to use it to scan it using rpc you use pipe dcrpc auditor so here you can see an example of executing pipe dcrpc auditor that allows you to scan remotely this script has their own database of named pipe names because it's not like scanning for ports you don't know all of the values of the valid values so you need to have a list of named pipes i don't know how this is well maintained or not but you can still try to use it so how can you sniff content of named pipes let's say you want to discover a new vulnerability a new remote code execution or a new denial of service the first thing that you need to do is to get the valid communication so how can you do it so ion ninja to the rescue yet again ion ninja as i told you earlier is the swiss army knife of named pipes you can use it both to connect to any pipes to listen to name pipes if you want you can even create a name pipe server and also to use it as a named pipe sniffer and this is a new model in ion ninja so you can see in my own computer i can start it it has some bugs because every now and then it finds name pipes i know it was named pipes that it cannot read but if we wait a little bit let's see if i see some named pipes communication as i told you it's a rather new model so it's not perfect yet but let's just wait for a second or two this is not me this is the windows operating system i went before come on bill gates now okay i'll just show you in the presentation sure so this is how it looks like when you see communication so you can see the open name pipes in this example it's mms server and you can see the entire communication totally clear text unless of course the protocol itself embeds encryption of any kind so a key process of finding vulnerabilities either if you want to jailbreak iphone or you want to find any unmanaged code vulnerabilities is fuzzing and this is what we're doing if you are not familiar with fuzzy let's just quickly go through the the basic terminal terminology and definition of it fuzzy no fuzzy testing is an automated software testing technique that involves providing invalid unexpected or random data you just bombard the interface with any unexpected values but it sounds a little bit like qa but this is done automatically qa is usually done manually you have the qa guy that just write the scripts and send it and fuzzles do it for you the automatic fuzzing tools do it for you in the fuzzing process you then monitor the program that you are trying to crush or to find vulnerability in and if anything is wrong you know that you can further investigate it usually fuzzles are used to test unmanaged code c and c plus plus because usually you want to find any sort of buffer overflows and for example microsoft embeds fuzzing processes in their in their development operation for any product they do for example if you have microsoft office they perform multiple fuzzing on each and every application of it and they found multiple vulnerabilities in their parses so this is a very useful technique in findings bugs but there are in fact two kinds of fuzzings dump fuzzing or black box fuzzing and smart fuzzing dump fuzzing is you just go over all the possible inputs without understanding the expected one you just bombard it with random data or sequential data and you don't understand what's the purpose of the parameter that you are trying to fuzz this is simple to implement very fast to implement sometimes impossible to execute because you have multiple multiple options and the code coverage is very poor you don't cover all of the different options in the programmers code on the other hand there is the smart fuzzing or white box fuzzing in this technique you understand the expected input you understand each parameter that is being sent to the interface in this example the name pipes and you modify slightly modify and test using in the edges of these the valid values to check for bugs and errors so this is smart data generation and if you have for example a file and you have a checksum field so in smart fuzzing you need to calculate and of course it is harder to implement we in Comstock we don't have a lot of resources like different companies that presented before before me so we weren't doing a lot of smart fuzzing mostly focused on dump fuzzing but still we found very very interesting vulnerabilities and the reason that i show you this presentation is i want others to move forward and use smart fuzzing as well to find new zero-days vulnerabilities so we also found like this nice little script that is called advanced pipe fuzzer you can download it from this URL and it was written many years ago but as i told you not many people know that name pipes can be accessed remotely so it was hard coded for local name pipes only so we slightly modified it and improved it a little bit and we used it in our research in order to find the vulnerabilities that i'm going to show you in our live demo so let's see some examples of exploitation and impacts so many pieces of software work with hidden or undocumented APIs this can either be a web server or a Windows application server that listens to a name pipe which is totally undocumented the forgotten nature of name pipes leaves uncharted territory of socket-like interfaces that contains vulnerability remote denial of service buffer overflows remote code execution and any kind of vulnerability that you can think of name pipes fall in between application penetration test and infrastructure penetration test if you are an applicative penetration tester you probably usually just use the normal ports which is obviously HTTP and many every once in a while you use other variants as well but you never look at RPC or an SMB in the first place if you see RPC or SMB you just skip it and most of the times you barely look at it or even don't know what it is so application penetration test doesn't look at it don't look at it and if you are in infrastructure penetration test whenever you see an RPC or SMB port which is open you try to brute force it you try to brute force credentials and you use your username password admin username password then you try to get valid credentials in order to hack into the system but you never look at the name pipes that listens behind these open ports if you are an EDR expert endpoint detect and response the multiple products that try to defend your your endpoint user station you probably don't take special notice to remote connections you know what name pipes are you know that you can use it in order to hack into stuff and to elevate privileges but you don't think a lot about remote the remote nature that is possible remote connection of the name pipes so if your software if your windows installed software reads data from name pipes without validation it's like any vulnerable application you can have multiple vulnerabilities including buffer overflow that can be can lead to denial of service or even in some cases remote code execution so if name pipe ACL access control list allow remote access then remote denial of service or remote code execution can be triggered research of cause behind the crash will allow the attacker to facilitate it as a zero-day vulnerability if you'll find vulnerability in one of windows name pipe interfaces that can be connected remotely and there are several such interfaces this can be used in order to spread malwares like wanna cry or not petya imagine the new not petya 2 or something similar that can utilize named pipes vulnerabilities and of course remote denial of service is game over so let's see a case study of some interesting vulnerabilities that we saw in three different windows application viber qb torrent and sugar sink you probably all know viber but just in case you just landed for math or from the moon this is a seller an endpoint social communication application the most common one is installed on your mobile device but there is another version that you can install on your windows operating system it allows you to uh to perform free calls text pictures this is a the major competitor of whatsapp and it had 800 million users worldwide qb torrent this is a torrent client probably most of you know what torrent is this is a cross platform client for a b torrent protocol free and open source written in c plus plus and sugar sink the last application that i'm going to show you demo for this is a cloud service that enables active synchronization of files across computers and other devices similar to dropbox using for file backup access syncing sharing supports variety of operating system including windows and this is what i found interesting and the three applications has one common feature they all use the the widely used qt framework as part of their application this is a cross platform application development framework for desktop embedded mobile it also supports windows and in the windows implementation of qt framework there were a vulnerability in the feature of functionality that is called qt single app this is responsible for writing temporary file probably to make sure that your application runs only once then you don't open multiple instances of the same application so by fuzzing name pipes we performed just a dumb fuzzing on this interface we found a remote denial of service or we could remotely crush the programs that i just show you and in qb torrent we also were also able to perform a remote command injection which i'm going to show you so i'm now silently prayed to the demo gods if you know the parade just join me i encourage you to so this is the virtual machine i'm going to do the demo with this is the ip address and first i'm going to activate viber oh but just a second before i activate viber viber let me just show you the different pipes so i activate pipelist which is the cc internal tool for enumerating name pipes and you can see different windows name pipes in each shutdown that we saw earlier elsas ntss vcs probably svc host and other services and once i start viber and execute it once again you would see that suddenly i have this named pipe which contains viber in it so obviously this is qt single app viber and now i'm going to exploit it so let's get back to my computer and now this is ion ninja i'm going to open a file stream that allows me to remotely connect to a named pipe and just put the right ip in here what was it again 31 132 pipe slash pipe name oh just a second i have some problems you need to be a domain user in this example so i need to put valid set of credentials to have access to any named pipe in this example so i'll just put username and password okay now i'm connected to viber's name pipe remotely and if i put just a single character this is all what is needed for this vulnerability if i hit the send button you would see that now viber is no longer responding and this is the case with sugar sink as well but this time i'm going to perform thumb fuzzing using the script i just showed you so it's starting and you can see that here i have a very similar name name pipe which is called qt single app sugar sink or sugar s and i'm going to copy it online this might look like random characters but this is in fact a fixed values so if you have viber and you have sugar sink you know that these name pipes are fixed so now i'm going to activate the fuzzer where we're using okay and you can see that just after two requests this is all it needed and sugar sink is also dead and the last example i'm going to show you this is the coolest example we found this is in cute bitter end so i'll just copy and paste the name pipes name but this time i won't just send a single character we witnessed a very interesting behavior in this named pipe for some reason they actually use values from this name pipe in order to perform commands so you can see that i sent two a characters with a space afterward and then i send defcon 25 and if i send it we will need this error torrent file defcon 25 does not exist and now i prepared this recoil torrent link and i just replace defcon 25 with the recoil link let me just reconnect to it and now qb torrent is never going to give you up so let's talk about the mitigation and the defense for the attack that i just showed you for the developer post point of view if you are a developer you should know the risk if you're using name pipes in your windows application you should create name pipes with access control list for specific users you should always follow the least privilege approach don't give any redundant permissions that are not needed in order for your application to act to activate correctly so just give minimal permissions the minimal number of users if it is not remotely if the name pipe should not be remotely accessed just block it all together and make it local only this is also an option and if you have the possibility just limit the maximum number of instances for your name pipe for users or third-party software clients know the risk just block all unnecessary smb and rpc services 135 and 445 obviously especially over the internet if you have rpc and smb open to the internet you have big problems unrelated to name pipes so just block it all together segment your network so at least if one computer is affected it won't be able to spread to other computers as well or if you have an attacker in one section of your network you won't be able to exploit these vulnerabilities in other sections as well and always install latest software security patches just in recent days it was found that in malware bytes the famous anti-malware software there were a similar vulnerability to the one i just showed you that allowed you to inject commands as a system user so they fixed it so you need to install the latest version and my favorite point of view which is the hackers point of view just know the opportunity and hack you should just use the technique that i showed you and in order to search for remote code execution and remote denial of service whenever you see open smb and rpc ports and just have fun you can use it and utilize it in order to find zero-day vulnerabilities that are completely uncharted so some closing remarks windows name pipes are forgotten remotely accessible socket-like interface you don't need to put your socket number you need to put the name pipe name this is a whole newly rediscovered potential word of local remote vulnerabilities increased attack surface and don't ignore it because it can lead to significant significant vulnerabilities if you liked the presentation i encourage you to contact us in comsec we are a small consultant company and we are not as big as the the companies that were presenting so in order to support our work and to work with professionals i encourage you to contact us i have my email in the end we are a small company so we pretty we have the speed and the agility in multiple services that includes penetration test of all kind security development lifecycle architecture design grc services is iso 2701 and pc i dss and also red team in deal simulation and offensive security services of all kind so if you have any question or you want to contact me following my presentation or of course if you want to to contact me regarding working with comsec you have my twitter and my linkedin and email and i want to thank everyone that participated in this research and also i want to take viber who are the only one to take this vulnerability seriously we try to contact other application owners as well but we couldn't so i want to take viber as well and adi happy birthday and masalto and thank you