HPCmd Utility Risk Analysis

The HPCmd communication channel is based on the Windows named pipe (http://msdn.microsoft.com/en-us/library/aa365590(VS.85).aspx). Named pipe technology leverages the Windows security for Authentication and Authorization.

The HPCmd client is a pipe client (client process initiates the connection). The HPCmdService is a pipe server, and after each command invocation request from the HPCmd client, the HPCmd service creates ad-hoc an additional 3 pipe servers to stream command execution indication back to the client.

ClosedAuthentication

The windows framework handles the whole Authentication process by sending the pipe client authentication information to the pipe server in a secure manner.

ClosedAuthorization

The security descriptor (used when initiating the named pipe server) determines which users/accounts are allowed to connect to the main named pipe server invoked by the HPCmdService.

The main HPCmdService named pipe service security descriptor gives the following permissions:

  • Full control to: LocalSystem account, members of the Administrators group, Creator owner.
  • Read access to: members of Everyone group, Anonymous account.
ClosedAttack Vectors

Possible attack vectors are:

  • An anonymous/unauthenticated user will connect to the main HPCmdService name pipe with Read privileges. In this scenario the user cannot write to the pipe, meaning that he will not be able to invoke commands on the server.
  • An anonymous/unauthenticated user will connect to one of the 3 pipe servers created per command execution for results streaming. The user will gain Read privileges. In this scenario the user can get the command execution results from the pipe but not change the command execution route. The data available in this pipe depends on the HPCmd command requested, which does not contain any confidential information.
ClosedRisk Analysis

The HPCmd pipe client tries to connect to the 3 created server named pipes for each specific command it executed. The attacker will have a very narrow time slot to perform a channel hijack and connect to the server pipe before the legitimate HPCmd client. In addition, the named pipe server names are determined differently for each new channel according to the HPCmd client process. This will make a brute force hijack attack much more difficult, considering both time limitation and name guessing constraints on the attacker.

The same attack pattern can be performed by a member of the Everyone group in Windows . The risk here is lower considering Windows's traceability capabilities for an authenticated process.

Impersonation

You can configure the HPCmdSvc.exe file to run with impersonation. For details, see the NTCMD protocol's Run remote commands impersonated parameter.

Data integrity

Named pipe communication is vulnerable to data tampering between the pipe client and the pipe server. It is recommended to use more a secure mechanism such as SSH when possible.

Confidentiality

Named pipe communication is not encrypted, therefore it is vulnerable to data sniffing. It is recommended to use more a secure mechanism such as SSH when possible.