Tenable security researcher David Wells has posted details and PoC code to exploit an unpatched Windows privilege escalation vulnerability related to the PsExec administration tool.
The vulnerability was disclosed because Microsoft did not release a patch within 90 days of notification. Microsoft did not say when and whether it will fix the vulnerability at all, but noted that this “method requires an attacker to compromise the target device in order to run malicious code.”
Wells said the local privilege escalation vulnerability could be exploited by a non-administrative process to escalate privileges to the SYSTEM level when PsExec is executed remotely or locally on a device.
As noted by the expert, the problem affects Windows versions from Windows XP to Windows 10 and PsExec versions from 1.7.2 (released in 2006) to 2.2 (latest).
PoC of Vulnerability Using PsExec
PsExec, part of the Windows Sysinternals suite of utilities, allows users to execute processes on remote Windows systems without the need to install third-party software. Wells noted that PsExec contains an embedded resource named PSEXESVC that runs on a remote computer with SYSTEM privileges when using the PsExec client.
“Communication between the PsExec client and the PSEXESVC remote service is through named pipes. In particular, a pipe named \ PSEXESVC is responsible for parsing and executing PsExec client commands, such as “which application to execute”, “appropriate command line data,” the researcher explained.
Although generally low-privileged users are not granted read / write access to this \ PSEXESVC pipe, an attacker can use a technique known as pipe squatting to accomplish this. In this case, the attacker creates a named pipe \ PSEXESVC before executing the PSEXESVC process, as a result of which he gains read / write access to the pipe, allowing his low-privileged application to interact with PSEXESVC over this pipe and run with SYSTEM privileges.
If an attacker exploited the vulnerability, they would need to gain low-privilege access to the target system, deploy their malicious application, create a \ PSEXESVC channel, and wait for the target user to execute PsExec (locally or remotely). The latter requirement can reduce the likelihood of exploiting the vulnerability in real attacks.