SV.PIPE.CONST
Potential pipe hijacking
If the FILE_FLAG_FIRST_PIPE_INSTANCE parameter isn't used in the CreateNamedPipe function, the pipe can be created over an existing file, allowing a malicious user to obtain security-sensitive data or possibly execute arbitrary commands.
The SV.PIPE.CONST checker finds instances in which the CreateNamedPipe function is used without FILE_FLAG_FIRST_PIPE_INSTANCE.
Vulnerability and risk
Named pipes and shared files can compromise the system and allow unauthorized users to obtain user names of legitimate users or other sensitive information. The primary risk from this vulnerability is that a malicious user could gain additional privileges and hijack the pipe to run arbitrary programs.
Mitigation and prevention
Using the FILE_FLAG_FIRST_PIPE_INSTANCE flag as the second argument in CreateNamedPipe protects against pipe highjacking attacks by ensuring that the pipe you're creating hasn't already been created.
Vulnerable code example
hPipe = CreateNamedPipe(
lpszPipename, // pipe name
PIPE_ACCESS_DUPLEX, // read/write access
PIPE_TYPE_MESSAGE | // message type pipe
PIPE_READMODE_MESSAGE | // message-read mode
PIPE_WAIT, // blocking mode
PIPE_UNLIMITED_INSTANCES, // max. instances
BUFSIZE, // output buffer size
BUFSIZE, // input buffer size
0, // client time-out
NULL); // default security attribute
Klockwork flags this code, since the FILE_FLAG_FIRST_PIPE_INSTANCE parameter isn't used in the CreateNamedPipe function. This code allows the pipe to be created over an existing file, which could enable a malicious user to obtain security-sensitive data or possibly execute arbitrary commands.
Fixed code example
hPipe = CreateNamedPipe(
lpszPipename, // pipe name
FILE_FLAG_FIRST_PIPE_INSTANCE |
PIPE_ACCESS_DUPLEX, // read/write access
PIPE_TYPE_MESSAGE | // message type pipe
PIPE_READMODE_MESSAGE | // message-read mode
PIPE_WAIT, // blocking mode
PIPE_UNLIMITED_INSTANCES, // max. instances
BUFSIZE, // output buffer size
BUFSIZE, // input buffer size
0, // client time-out
NULL); // default security attribute
In the fixed code example, the FILE_FLAG_FIRST_PIPE_INSTANCE parameter has been used, ensuring that the pipe won't be created over an existing file.
Related checkers
External guidance
- CWE-421: Race Condition During Access to Alternate Channel
- STIG-ID:APP3450.1 Access Control
- STIG-ID:APP3480.1 Role-Based Access
- STIG-ID:APP3480.2 Role-Based Access
- STIG-ID:APP3500 Excessive Privileges
- STIG-ID:APP3630.4 Application vulnerable to race conditions
- Microsoft library: Registry security and access rights
Security training
Application security training materials provided by Secure Code Warrior.