View Help Online

Start here

Home
About Klocwork
What's new
Fixed issues
Release notes
Installation

Reference

C/C++ checkers
Java checkers
C# checkers
MISRA C 2004 checkers
MISRA C++ 2008 checkers
MISRA C 2012 checkers
MISRA C 2012 checkers with Amendment 1
Commands
Metrics
Troubleshooting
Reference

Product components

C/C++ Integration build analysis
Java Integration build analysis
Desktop analysis
Refactoring
Klocwork Static Code Analysis
Klocwork Code Review
Structure101
Tuning
Custom checkers

Coding environments

Visual Studio
Eclipse for C/C++
Eclipse for Java
IntelliJ IDEA
Other

Administration

Project configuration
Build configuration
Administration
Analysis performance
Server performance
Security/permissions
Licensing
Klocwork Static Code Analysis Web API
Klocwork Code Review Web API

Community

View help online
Visit RogueWave.com
Klocwork Support
Rogue Wave Videos

Legal

Legal information

SV.PIPE.VAR

Potential pipe hijacking in variable

If the FILE_FLAG_FIRST_PIPE_INSTANCE parameter isn't used in the CreateNamedPipe function, the pipe can be created over an existing file, allowing a malicious user to obtain security-sensitive data or possibly execute arbitrary commands.

The SV.PIPE.VAR checker finds instances in which the CreateNamedPipe function is used with a variable instead of the FILE_FLAG_FIRST_PIPE_INSTANCE parameter.

Vulnerability and risk

Named pipes and shared files can compromise the system and allow unauthorized users to obtain user names of legitimate users or other sensitive information. The primary risk from this vulnerability is that a malicious user could gain additional privileges and hijack the pipe to run arbitrary programs.

Mitigation and prevention

Using the FILE_FLAG_FIRST_PIPE_INSTANCE flag as the second argument in CreateNamedPipe protects against pipe highjacking attacks by ensuring that the pipe you're creating hasn't already been created.

Vulnerable code example

1    hPipe = CreateNamedPipe( 
2          lpszPipename,         // pipe name 
3          mode,          // read/write access 
5          PIPE_TYPE_MESSAGE |     // message type pipe 
6          PIPE_READMODE_MESSAGE |  // message-read mode 
7          PIPE_WAIT,           // blocking mode 
8          PIPE_UNLIMITED_INSTANCES, // max. instances  
9          BUFSIZE,            // output buffer size 
10         BUFSIZE,            // input buffer size 
11         0,                // client time-out 
12         NULL);              // default security attribute

Klockwork flags the variable in line 3 of the code. When the FILE_FLAG_FIRST_PIPE_INSTANCE parameter isn't used with CreateNamedPipe, it's possible for the pipe to be created over an existing file. In such a case, a malicious user could obtain security-sensitive data or possibly execute arbitrary commands.

Fixed code example

    hPipe = CreateNamedPipe( 
       lpszPipename,         // pipe name 
       FILE_FLAG_FIRST_PIPE_INSTANCE |
       mode,     // read/write access 
       PIPE_TYPE_MESSAGE |     // message type pipe 
       PIPE_READMODE_MESSAGE |  // message-read mode 
       PIPE_WAIT,           // blocking mode 
       PIPE_UNLIMITED_INSTANCES, // max. instances  
       BUFSIZE,            // output buffer size 
       BUFSIZE,            // input buffer size 
       0,                // client time-out 
       NULL);              // default security attribute

In the fixed code example, the FILE_FLAG_FIRST_PIPE_INSTANCE is used as the second parameter in the CreateNamedPipe function, ensuring that the pipe won't be created over an existing function.

Related checkers

External guidance

Parent topic: Pipe hijacking
Previous topic: SV.PIPE.CONST

© Rogue Wave Software, Inc. All rights reserved. | Contact