0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec

win7[German]ACROS Security has released a micropatch for a Local Privilege Escalation 0-day vulnerability in the SysInternals tool PsExec for its 0patch agent. PsExec is used by administrators to perform tasks with system privileges.


Advertising

You shouldn't be able to find a Windows administrator who hasn't used PsExec at some point. Some people don't even know they are using PsExec. This is because PsExec is integrated into several other tools (for example, tools like JetBrain's TeamCity, may be involved in the SolarWinds story). 

Local Privilege Escalation 0-day in PsExec

Tenable security researcher David Wells last month published an analysis of a local privilege escalation vulnerability in PsExec, a powerful management tool from SysInternals (which was acquired by Microsoft) that allows executables to be launched on remote computer.

The vulnerability uses named pipe hijacking (also known as named pipe squatting). When PsExec attempts to launch an executable on the remote computer, it creates a temporary Windows service there with PSEXESVC.EXE, which it extracts from its code. This service is started under the local system user and connects to its named pipe to give it startup instructions. PSEXESVC.EXE creates the named pipe with privileges that do not allow a non-administrator or non-system user to connect to it.

The attack now consists of a malicious local process creating a named pipe with the same name that PSEXESVC.EXE uses, but before the service creates it. PSEXESVC.EXE, running as Local System, then attempts to create the same named pipe, but merely reopens the existing pipe, leaving its permissions intact. At this point, the attacker can connect to the named pipe and get the service to run anything.

David Wells has provided a proof-of-concept for this vulnerability. At risk are basically all Windows machines where admins run executables remotely with PsExec (or management tools that use PsExec) and there is already an attacker on the machine without admin privileges. The attack allows elevation of privileges.


Advertising

At the time of writing, no official patch is available from Microsoft. PsExec.exe and PsExec64.exe, which encapsulate the vulnerable PSEXESVC.EXE, are part of the PsTools suite and were last updated in June 2016. According to Tenable, all PsExec versions from 1.72 (from 2006) to the latest version 2.2 (from 2016) are affected, which means the vulnerability has been around for about 14 years.

0patch fix is available

Mitja Kolsek informed me on Twitter that ACROS Security is providing a micropatch for free to all 0patch users. 

 PsExec 0-day LPE vulnerability
(0patch fix for 0-day)

Mitja Kolsek has published some more details about this micropatch and the vulnerability. This micropatch is available immediately for all 0patch users (so also for the Free license) and is already applied to all online computers with 0patch Agent. As always, no computer restart is required and users' work is not interrupted.

For information on how the 0patch Agent works, which loads the micro-patches into memory at runtime of an application, please refer to the blog posts (e.g. here) I have linked below. 

Similar articles:
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
0patch supports Office 2010 with micro patches after the end of support (EOL)
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2


Advertising

This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).