Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
HPCmd Utility Risk Analysis
The HPCmd communication channel is based on the Windows named pipe (http://msdn.microsoft.com/en-us/library/aa365590(VS.85).aspx). Named pipe technology leverages the Windows security for Authentication and Authorization.
The HPCmd client is a pipe client (client process initiates the connection). The HPCmdService is a pipe server, and after each command invocation request from the HPCmd client, the HPCmd service creates ad-hoc an additional 3 pipe servers to stream command execution indication back to the client.
The windows framework handles the whole Authentication process by sending the pipe client authentication information to the pipe server in a secure manner.
The security descriptor (used when initiating the named pipe server) determines which users/accounts are allowed to connect to the main named pipe server invoked by the HPCmdService.
The main HPCmdService named pipe service security descriptor gives the following permissions:
- Full control to: LocalSystem account, members of the Administrators group, Creator owner.
- Read access to: members of Everyone group, Anonymous account.
Possible attack vectors are:
- An anonymous/unauthenticated user will connect to the main HPCmdService name pipe with Read privileges. In this scenario the user cannot write to the pipe, meaning that he will not be able to invoke commands on the server.
- An anonymous/unauthenticated user will connect to one of the 3 pipe servers created per command execution for results streaming. The user will gain Read privileges. In this scenario the user can get the command execution results from the pipe but not change the command execution route. The data available in this pipe depends on the HPCmd command requested, which does not contain any confidential information.
The HPCmd pipe client tries to connect to the 3 created server named pipes for each specific command it executed. The attacker will have a very narrow time slot to perform a channel hijack and connect to the server pipe before the legitimate HPCmd client. In addition, the named pipe server names are determined differently for each new channel according to the HPCmd client process. This will make a brute force hijack attack much more difficult, considering both time limitation and name guessing constraints on the attacker.
The same attack pattern can be performed by a member of the Everyone group in Windows . The risk here is lower considering Windows's traceability capabilities for an authenticated process.
Impersonation
You can configure the HPCmdSvc.exe file to run with impersonation. For details, see
Data integrity
Named pipe communication is vulnerable to data tampering between the pipe client and the pipe server. It is recommended to use more a secure mechanism such as SSH when possible.
Confidentiality
Named pipe communication is not encrypted, therefore it is vulnerable to data sniffing. It is recommended to use more a secure mechanism such as SSH when possible.