>>Good morning Las Vegas. I its not really morning, but I always wanted to say this. My name is Gil Cohen, I’m and I’ll be your host at uh, this almost last lecture. I want to thank you all for attending this lecture, its not trivial that uh all of you stayed. I know that uh many went home or just uh staying out at the pools, so uh a big shout for you for uh uh coming. And today I am going to talk about eh em eh remote vulnerabilities in named pipes. So lets begin. Uh first I’ll start off with some eh eh introduction of myself. I’m going to tell you about my past. Or the thing that I can tell you at least. Eh then we going to talk about some key terms of uh Windows named pipes in general an interesting process communication. Eh then I’m going to show you how to connect m- to named pipes and named pipes access control list in the wild. Enumerating and sniffing named pipes, fuzzing named pipes, exploitation then we’ll eh uh re- we will move onto the audience favorite part which is like demos and then I’ll show you some mitigations and a conclusion of my talk. So let’s start. My name is Gil I’m thirty-four years old and I’m a CTO of Comsec Global. I’m going to tell you a little bit about my company at the end of this lecture. Uh this is the biggest company in Israel and uh most veteran one uh thirty years. One hundred fifty consultants and I’ve been a hacker for about thirteen years now. I started in Israel in military eh I was a penetration tester of all kind. Application and infrastructure. They and I even worked with the some Israel security agencies. I cannot tell which then because then I have to kill you and I don’t want to kill you at the beginning of my presentation and you are more than I so uh I’ll just spare the details. Uh so I’ve been a hacking to a lot of stuff including Windows app- windows application and during one of my eh penetration tests in my hacks I came across this uh vulnerability technique that I’m going to show you, that was uh completely unknown or forgotten by penetration testers and this was the motivation for my talk. But before I talking about the vulnerability itself let’s start with some key terms. Just in case you are not familiar with it. So Inter-Process Communication, eh this is operating system mechanism that allows processes and applications to manage shared data. You can either use uh for example internal sockets, which uh are probably most of you know. And you have different kinds of uh inter-process communication as well. uh each and every participant in this communication is considered either a client or the server and it can be both and you can have multiple clients and multiple servers M to M communication. Uh and of course both clients and servers can be uh defined together. So uh windows named pipes is one of the methods to perform inter-process communications in Windows. It can either be half a one way or a two way eh uh two uh four duplex uh and it utilizes uh unique file system that is called NPFS, Named Pipe Filesystem. It can be accessed by any process in your uh local operating system. Uh subject to security checks which is obviously ACLs. So all instances of the same named pipe a connection to a named pipe is called an instance. Uh have the same name. If you have a main uh named pipe called Gil, then everyone who uh talks to this named pipe uh will create an in- instance with the same name. So there are mirroring many configurations and variations of named pipes. Half the, half duplex or full duplex, byte-oriented or packet-oriented local or network. And this is what people miss. So inter-process communication uh uh I un unlock unlike its name is not only internal. Its not only internal eh interface uh in your operating system it can be um um it can be used remotely. Named pipe communication is not encrypted so if you have any named pipe that is connected remotely eh it will eh use either SMB port four four five or RPC uh which is port one hundred and thirty-five and it is totally encrypted so you can obviously just sniff it and replay and in some cases even perform a man in the middle attack. RPC. Some of you um most of you just uh probably know it but I’m going to tell it anyway. This is a protocol that allows one program to invoke services from a program located on another computer. Just call uh eh or another service another process. You just call it um uh from one computer to the other uh it uses ports one hundred thirty-five and DCE/RPCs just a variant or a subtype- uh subtype of RPC which allows a programmer to think that uh the uh de- procedure is calling is actually local. When it fact it is a remote one. So you just make the programmers lar- life a little bit convenience. SMB uh or Server Message Block. This is a famous protocol. Uh it can be used for an uh file sharing um and printer serial port et cetera. Its mostly used for file sharing and probably most of you know it through uh links like this. URLs that look like this. You can see uh one hundred ninety-two, one sixty-eight, one one slash c dollar this is an SMB connection or slash slash file server. This is the famous SMB protocol. It uses port number four four five, so if you have any of this ports open you can connect to named pipes as well. But there are actually two kinds of named pipes. Not only there regular named pipes. You also have unnamed pipe or anonymous pipes. Not the famous synonymous that you see on the right. But an an named pipe with a random name. This named pipe is used only between a parent process and each child process. Uh and it cannot uh uh be used for communication over the network and this is why I haven’t focused it during my research because I wanted to show to a to see which named pipes can be con- connected remotely. So, how can you connect to a named pipe? All pipes are placed in a root directly of NPFS which is slash slash sl- eh the IP address of the computer can be dot for example if its the the local computer. Slash pipe slash pipe name. This is how you connect to a pipe. But you cannot just open your windows run command and just connect to it. Uh you need a special connection. You ca- you are going to need to do it using programmer’s code or co- dedicated tool that I’m going to show you. Uh in the next slides. So here is a a a URL for example for a connec- connecting to a named pipe. You can see slash slash dot slash slash pipe slash foo. This is a connection to a local pipe. And if you want to ge- connect to the same pipe remotely and the ACL allows it you just the IP address instead of the dot character. So uh the best tool in order to connect to named pipes is IO Ninja. This is uh a commercial tool it used to be free for all and no commercial usage but the the just changed uh their a uh license agreement. Uh so now it is paid only and you can uh have a non-registered um copy of it uh and this is like the Swiss army knife of communication in general in named pipes specifically. Uh you don’t necessarily need to use it for regular TC/IP communication because you have net cat and M Up and many other great tools. But uh this is the only good tool for main pipes communication uh and this uh this is the tool I was using during my research. So how does the communication looks like when you open Wireshark. Because I told you that named pipes can be remotely. Uh accessed. So this is how it looks like you can see here uh Wireshark window. And you can see that the named pipe is using SMB communication and here at the bottom, you can see that this is total query text. So whatever is being transferred to a remote named pipe, can be sniffed. But there are some limitations. If you’re a programmer and you uh uh start your named pipe, you you listen to a named pipe, you can protect it. So how can you do it? Using a ACLs. Named pipes are implemented by a file system driving windows and just started in windows eight in fact. And uh they follow the uh ACLs or eh DACLs, discretionary access control lists, permissions uh that are but the default uh value is that the permission is set to anyone or anonymous login. So if you create your own named pipe and you don’t, you don’t set the ACLs specifically, anyone can connect to it. So when many uh named pipes allows uh either anonymous access or only domain user access, but obviously its still a lot of users that can exploit vulnerabilities in it. Uh you can modify uh ACLs uh and to make a only specific users access uh named pipe. But a this is not the default behavior and unfortunately I witnessed a lot of named pipes that just didn’t do it. And I’m going to show you some examples. So here is a named pipe for example, it’s called uh this is a windows built in named pipe, it it is called init shutdown. And you can see, that the permissions for this named pipe is everyone anonymous and administrators. Which actually has no affect because everyone can access it. So anyone can access init shutdown and um named pipe and this is a built in windows operating system named pipe. And named pipe unlike any other um interface you know uh either a regular SMB files or sockets have additional feature which- which is called maximum instance. Uh a connection to a named pipe is called an instance named pipe instance. And on the left you can see the um uh the different named pipes and their current number of instances and on the right you can see that there are there is a maximum volume uh for some of them. Eh if the valu- the value is minus one there then there is no uh limitations. But if this is not minus one then the- there can be a number, maximum number of connections or instances to this named pipes. So you can see here, uh several named pipes with a value of one or the value of seven, so it means that you cannot just connect to it without any limitation. So lets talk about named pipes in the wild. Most of you probably heard about the conficker worm or conficker virus. Uh that uh was detected in November 2008. Uh it used flaws in windows operating system uh and it used dictionary attacks on administrator passwords to propagate while forming a bonnet. And used advanced malware techniques similarly to the recently discovered notpetya and wanna cry they’re fans-wares and malwares. So uh it uh infected un a lot of computers. Millions of computers in one one hundred and ninety countries. And it had several variations. This is how it look likes. Very nice. One variation which is dot net variation C, creates a named pipe over which it pushes URLs for downloadable downloadable payloads for other infected computers in your LAN. So if you have one computer that is infected and it gets the command from the command control center, it just propagate this command through named pipe in order to make sure that the rest of uh the affected computer gets the same command as well. And this is uh not only used by Conficker but by others as well such as Moker and ZxShells and even the famous, now famous, Petya. So how can you enumerate? And scan for named pipes? If you want to have a look at your own named pipes in your own windows computer, you an just use the sys internals pipe list. This is the best tool for enumerating named pipes. Uh and you can just uh run it and immediately see what we just witnessed in the uh in the previous slide. All of the pipe names, the current number of instance instances and the maximum number of instances uh so this is what you should use if you want to, to see what named pipes are listening in your own computer. The are a there are uh multiple tools of uh checking the uh uh access control list for named pipes. This is a deprecated tools, it is c- called behind security pipe security editor um but unfortunately it is unmaintained and deprecated because uh it only works in windows xp or older. Uh but you can see that uh this tool uh used to allow you to edit named pipes permissions in real time. Just like as you do with files. So unfortunately there are no similar tools for newer versions of windows. This and this uh a deprecated tools. But for current w- windows versions, you can use the sys internals pipe ACL. It comes with a same package. Its pipe list. And one- once you activate it, you see the output that we saw earlier. Which uh which tells you which uh the groups have permissions for the current named pipe that you’re checking in this example I was checking the another windows operating system. Um named pipe which is called lsarpc and here again anonymous access to everyone. So how can you remotely enumerate named pipes. There aren’t many tools for doing it, but there are several scripts in Metasploit uh not very common scripts and not well knows. Uh but uh you can see it to uh non the less. This is called pipe editor and you can uh use it in order to remotely uh scan for named pipes. If you want use uh scan it using SMB, uh you use the original pipe editor script. If you want to use it uh to scan it using RPC you use pipe dcerpc auditor. So you can see an example of it executing uh pipe dcrpc auditor and it allows you to uh to scan remotely. It uh this uh script has their own uh database of a named pipe names because its not like scanning for ports. You don’t know all of the values of the default values uh so you need to have a list of uh a named pipes. I don’t know how this is well maintained or not uh but you can still try to use it. So, how can you sniff content of named pipes. Lets say you want to discover a new vulnerability, a new remote code execution or a new denial of service. The first thing that you need to do is to get a valid communication. So how can you do it? So IO Ninja to the rescue. Yet again. The IO Ninja uh as I told you earlier is uh Swiss army knife of named pipes. Uh you can use it both to connect named pipes, to listen to named pipes if you want. You can even create a named pipe server and also to use it as a named pipe sniffer. A this is a new model in IO Ninja. So you can see my own computer. I can start it. It has some bugs because every now and then it finds named pipes. Anonymous named pipes that it cannot print. But if you wait a little bit. Let’s see if I see some named pipes communication. As I told you its a rather new uh model so its not perfect yet, but. It just wait for a second or two. This is the windows operating system I’m waiting for. Come on Bill Gates now. Ok I’ll just show you in the presentation. Should. So this is how it looks like. When you see communication is uh so you can see the open named pipes in this example its mms server and you can see the entire communication totally pure text. Unless of course the protocol itself uh embeds uh encryption of any kind. So a key process of finding vulnerabilities uh either in uh if you want to jail break iPhone or you want to find any uh unmatched code vulnerabilities uh is fuzzing. And this is what we were doing. If you are not familiar with fuzzing, lets just quickly uh go through the the uh basic uh termin- terminology definition of it. Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected or random data. You just bombard the interface with any unexpected values. But uh it sounds a little bit like QA, but this is done automatically. QA is usually done manually. You have the QA guy that just write the script and send it a- and um buzzers do it for you, the automatic fuzzing tools do it for you in the fuzzing process. Uh you then monitor uh the program that you are trying to crush or to find vulnerability in and if anything’s wrong, you know that you can uh uh further investigate. Usually a buzzers are used to test unmanaged code. C and C plus plus uh because usually you want to find any sort of buffer overflows and for example Microsoft uh embeds fuzzing processes in their um in their development operation for any product they do. For example if you have uh Microsoft office they perform multiple fuzzing uh on each and every uh application of it and they found multiple vulnerabilities in their passes. So this is a very uh useful technique in finding s- bugs. And but there are in fact two kinds of fuzzings. Dumb fuzzing or black box fuzzing. And smart fuzzing. Dumb fuzzing is a you just go over a- ay- a- go go over all the possible inputs without undespe- uh understand the expected one. You just bombard it with random data or with sequential data and you don’t understand what’s the purpose of the parameter that you’re trying to fuzz. This is simple to implement, very fast to implement. Sometimes to impossible to execute uh because you have multiple multiple options and the code coverage is very poor. You don’t cover all of the different options in the programmer’s code. On the other hand, there is the smart fuzzing or white box fuzzing and this uh technique you understand the expected inputs. You understand each parameter that is being sent to the interface in this example. The named pipes and you modify slightly modify and test uh using uh in in the edges of these uh um the valid values to check for uh bugs and errors. Uh so this smart data generation and uh if you have for example five and you have a checksum field so in smart fuzzing you need to calculate it and of course it is harder to implement. Uh in ComSec we don’t have a lot of resources like different companies that presented before uh before me, so uh we weren’t doing a lot of smart fuzzing. Mostly focused on dumb fuzzing, but still we found very very interesting vulnerabilities and the reason that I show you this presentation is I want others to move forward and uh use smart fuzzing as well to find new use these vulnerabilities. So we also found uh like this nice little script that is called advance pipe fuzzer. You can download it from this URL. Uh and um it was written many years ago but uh as I told you not many people know that uh named pipes are ac- can be accessed remotely so it was a hard coded for local named pipes only. So we slightly modified it and improved it a little bit and we used it uh in our research in order to find the vulnerabilities that I’m going to show you in our live demo. So lets see uh some examples of e- uh exploitation and impacts. So many pieces of uh software work with hidden or undocumented APIs. This can either be a web server or a windows application server that a listens to a named pipe which is totally undocumented. Uh the forgotten nature of named pipes leaves uncharted territory of socket-like interfaces that contains vulnerabilities. Remote in out of service, buffer overflows, remote code execution and any kind of vulnerabilities that you can think of. Named pipes fall in between application penetration tests and infrastructure penetration test. If you are an application penetration tester you probably usually uh just uh use the normal ports which is obviously HTTP and uh many uh uh every once in a while you use other variance as well but you never look at RPC or SMB in the first place. If you see are eh RPC or SMB you just keep it. And most time most of the times you you barely look at it. Or even don’t know where it is, so uh uh application penetration test doesn’t look at it. Uh don’t look at it and if you are in infrastructure penetration test, whenever you see an RPC or SMB port, uh which is open, you try to brute force it. You try to brute force credentials and and use your um use a new password, mean use a new password and you try to uh uh get valid credentials in order to hack into the system, but you never look at the named pipes that listens behind these open ports. If you are an EDR expert, end point detect and response, uh multiple products to try to defend your uh your endpoint a user station, uh you probably don’t sp- take special notice to remote connections. You know what named pipes are, you know that you can use it in order to hack into stuff and to elevate privileges but you don’t think a lot about remote uh remote nature uh that is possible. Remote connection of the named pipes. So if you’re software if your windows installed software reads data from named pipes without validation, its like any appl- vulnerable application, you can have multiple vulnerabilities including buffer overflow that can be can lead to denial of service or even in some cases, remote code execution. So if named pipe ACL access control list allow remote access, then remote denial of service or remote code execution can be triggered. Research of cause behind the crush will allow the attacker to facilitate it as zero day vulnerability. If you find um um vulnerability in one of windows named pipe interfaces that can be connected remotely and there are server such interfaces, this can be use in order to spread malewares, like wanna cry or notpetya. Imagine the new notpetya two. Or something similar that can utilize named pipes vulnerabilities. And of course remote denial service is game over. So lets see a case study of some interesting vulnerabilities that we se- uh we saw in three different windows application. Viber, qBittorrent and SugarSync. You probably all know Viber, but just in case you just landed from Mars or from the moon, this is a cellular and endpoint social communication uh application uh the most common one is installed on your mobile device, but there is another version that you can install on your windows operating system. It allows you to uh uh to perform free calls texts, picture uh this is a comp- the major competitor of WhatsApp. And it had eight eight hundred million users worldwide. qBittorrent, this is uh uh torrent client, probably most of you know what torrent is. This is a cross platform client for a bit torrent protocol. Free and open-source written in C plus plus. And SugarSync, the last application that I’m going to show you the demo for, this is a cloud service that enables active synchronization of files across computers and other devices. Similar to dropbox. Using uh for file backup, access, synching, sharing, supports variety of operating system including windows. And this is what I found interesting. And the three applications has one common feature, they all use the va- uh the widely used QT framework. Uh as part of their application. This is a cross platform application development framework for desktop. Embedded mobile. Uh it also supports you a windows and in the windows implementation of QT framework there were a vulnerability in the uh uh feature functionality that is called qtsingleapp. Uh this is responsible for writing temporary file probably to make sure that your application runs only once and you don’t open multiple instances of the same application. So by fuzzing named pipes, we perform just a dumb fuzzing on this. In fuzz we found uh remote denial of service or a we could remotely crash the programs that I just show you and in Qbitorrent, we also uh a we were also able to a perform a remote command injection which I’m going to show you. So I’m now silently pray to the demo Gods if you know the pray just join me. I encourage you to. So this is the virtual machine. I’m going to do the demo with. This is the IP address and first I’m going to activate Viber. Oh wait. Just a second. Before I activate Viber Viber, let me just show you the different pipes. So I activate pipe list which is the sys internal tool for enumerating main pipes and you can see different windows named pipes init shutdown that we saw earlier, uh lsass, ntsvcs, probably scv host uh and other services. And once I start Viber and execute it once again you would see that only I have this named pipe which contains Fiber in it so obviously this is qtsingle app, Viber. And now I’m going to exploit it. So let’s get back to my computer. And now this is IO Ninja. I’m going to open a file string that allows me to remotely connect to a named pipe. Just put the right IP in here. What was it again? Thirty-one. One thirty-two. Pipe slash pipe name. Oh just a second. Some problems. Uh you need to be a um a um domain user in this example, so I need to put a valid set of credentials. To have access to any named pipe in this example. So I’ll just put username and password. Ok, now I’m connected to Viber’s named pipe remotely and if I put just a single character this is all what is needed for this vulnerability. If I hit the send button, you would see that now Viber is no longer responding. [applause] And this is the case with SugarSync as well, but this time I’m going to perform for uh dumb fuzzing using the script I just showed you. So its starting. And you can see that here I have a very similar name. Named pipe, which is called qtsingleapp SugarSync or Sugar S and I’m going to copy it. And uh la- uh this might look like random characters but this is in fact a fixed values, so if you have Viber or you have SugarSync you know that these named pipes uh are fixed. So now I’m going to activate the fuzzer we’re using. Ok. You can see that just after two requests this is all it needed. And SugarSync is also dead. And the last example I’m going to show you. This is the coolest example we found. This is qBittorent. So I’ll just copy it and paste the named pipe’s name. But this time I won’t just send a single character. We witnessed a very interesting behavior in this named pipe. For some reason they actually use values from this named pipe in order to perform commands. So you can see that I sent two A characters with a space afterward and I sent Def Con twenty-five and if I send it, we get this error, torrent file Def Con twenty-five does not exist. And now I prepared this rickroll torrent link. And I just replace Def Con twenty-five with the rickroll link. Let me just discon- reconnect to it. And now, qBittorent is never going to give you up. [laughter] [applause] Thank you. So lets talk about the mitigation and the defense for the attack I just showed you. For the developers point of view, if you are a developer you should know the risk if you’re using named pipes in your windows application. You should create named pipes with access control list uh for specific users. You should al always follow the least privilege approach. Don’t give any redundant permissions that are not needed in order for your application to act- to activate correctly. Uh so uh I just give minimal permissions, uh the minimum number of users if it is not uh remote it if it uh, the named pipe should not be remotely accessed just pluck it all together uh and make it local only. This is al- also an option. And if you have uh the possibility, just limit the maximum number of instances uh for your named pipe. For users or third party software clients. Know the risk. Just block all unnecessary SMB and RPC services. One hundred and thirty-five and four four five, obviously. Uh especially over uh the internet. If you have RPC and SMB open to the internet you have big problems. Unrelated to named pipes. So just block it all together. Um segment your networks so at least if one uh computer is affected, it won’t uh be able to spread to other computers as well or or if you have uh an attacker in one section of your network, he won’t be able to exploit this vulnerabilities in other sections as well. And always install latest software security patches. In just in recent ja- the days it was found that in uh malware bytes, the famous anti-software, there were uh uh similar vulnerability to the one I just show you that allowed you to inject commands uh as uh as system user. So uh they fixed it so you need to install the latest version. Uh and the my favorite point of view which is the hackers point of view. Just know the opportunity and hack. Uh you should uh uh just uh use the technique that I showed you uh and in order to search for remote code execution and remote denial service uh whenever you see open SMB and RPC ports and uh just have fun. You can use it and utilize it in order to find your vulnerabilities that are completely uncharted. Uh so a some closing remarks, windows named pipes are forgotten, remotely accessible, socket-like interface. You don’t need to put your uh socket number, you need to put in uh named pipe name. Uh this is a whole newly rediscovered potentially world of local and remote vulnerabilities inc- increased attack surface and don’t ignore it because it can lead to significant uh significant vulnerabilities. If you liked uh the presentation, uh I encourage you to contact us in in ComSec uh we are a small consulting company, we are not as big as uh the companies that were presenting, so uh in order to support our work, uh and to work with professionals uh I wi- I encourage you contact us uh I have my email un in the end. We are small company so we pretty uh uh we have the speed and agility uh and multiple uh services um that includes penetration test of all kind, uh security development life cycle uh architecture design um uh GRC services is uh twenty-seven oh oh one and PCI DSS and also red teaming uh DL simulation and uh offensive security uh services of all kind. So if you have any question uh or you want to contact me following my presentation or of course if you want to um to contact me regarding uh working with ComSec uh you have my twitter and my LinkedIn and e-mail. Uh and I want to thank uh everyone that participated in this research uh and uh also I want to thank Viber who are the only one to take this vulnerability. We tried to op- to contact other uh application owners as well, but we couldn’t. Uh so we want to thank Viber as well and uh Audie, happy birthday in Masalto. And uh thank you. [applause]