Microsoft has fastened a vulnerability within the PsExec utility that enables native customers to realize elevated privileges on Home windows gadgets.
PsExec is a Sysinternals utility designed to permit directors to carry out numerous actions on distant computer systems, akin to launching executables and displaying the output on the native laptop or creating reverse shells.
As a result of instrument’s versatility, menace actors generally use PsExec of their post-exploitation toolkits to unfold laterally to different machines on a community, execute instructions on numerous gadgets concurrently, or deploy malware akin to ransomware..
In December 2020, Tenable researcher David Wells found a vulnerability within the PsExec’s named pipe communications that permit native customers to raise to SYSTEM privileges.
“This native privilege escalation permits a non-admin course of to escalate to SYSTEM if PsExec is executed domestically or remotely on the goal machine. I used to be capable of verify this works from Home windows 10 all the best way again to XP and from my investigation, it impacts PsExec v2.2 (newest as of this writing) all the best way again to v1.72 (2006),” explained Wells.
After reporting the vulnerability, Wells gave Microsoft ninety days to repair the vulnerability, and when Microsoft didn’t repair it, disclosed the flaw and launched a full working PoC.
Microsoft releases repair for PsExec vulnerability
After the vulnerability was publicly disclosed, Microsoft launched PsExec model 2.30 to resolve the vulnerability. Nevertheless, Wells acknowledged that minor changes to his PoC may bypass the repair.
“There was new PsExec variations launched in 2021 (v2.30 and v2.32), we confirmed them to even be weak to this Native Privilege Escalation with minor PoC changes,” Wells warned.
Yesterday, Microsoft launched PsExec v2.33, which features a new repair for the named pipe native privilege elevation vulnerability.
“This replace to PsExec mitigates named pipe squatting assaults that may be leveraged by an attacker to intercept credentials or elevate to System privilege. the -i command line swap is now obligatory for working processes interactively, for instance with redirected IO,” reads the PsExec v2.33 release notes.
Tenable has confirmed with BleepingComputer that this launch has fastened the vulnerability.