Articles PoC code published for exploiting vulnerability in Windows from...

PoC code published for exploiting vulnerability in Windows from 2006


Tenable security researcher David Wells has posted details and PoC code to exploit an unpatched Windows privilege escalation vulnerability related to the PsExec administration tool.

The vulnerability was disclosed because Microsoft did not release a patch within 90 days of notification. Microsoft did not say when and whether it will fix the vulnerability at all, but noted that this “method requires an attacker to compromise the target device in order to run malicious code.”

Wells said the local privilege escalation vulnerability could be exploited by a non-administrative process to escalate privileges to the SYSTEM level when PsExec is executed remotely or locally on a device.

As noted by the expert, the problem affects Windows versions from Windows XP to Windows 10 and PsExec versions from 1.7.2 (released in 2006) to 2.2 (latest).

PoC of Vulnerability Using PsExec

PsExec, part of the Windows Sysinternals suite of utilities, allows users to execute processes on remote Windows systems without the need to install third-party software. Wells noted that PsExec contains an embedded resource named PSEXESVC that runs on a remote computer with SYSTEM privileges when using the PsExec client.

“Communication between the PsExec client and the PSEXESVC remote service is through named pipes. In particular, a pipe named \ PSEXESVC is responsible for parsing and executing PsExec client commands, such as “which application to execute”, “appropriate command line data,” the researcher explained.

Although generally low-privileged users are not granted read / write access to this \ PSEXESVC pipe, an attacker can use a technique known as pipe squatting to accomplish this. In this case, the attacker creates a named pipe \ PSEXESVC before executing the PSEXESVC process, as a result of which he gains read / write access to the pipe, allowing his low-privileged application to interact with PSEXESVC over this pipe and run with SYSTEM privileges.

If an attacker exploited the vulnerability, they would need to gain low-privilege access to the target system, deploy their malicious application, create a \ PSEXESVC channel, and wait for the target user to execute PsExec (locally or remotely). The latter requirement can reduce the likelihood of exploiting the vulnerability in real attacks.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you