Zero-day vulnerability in Windows PsExec affects thousands of users

Microsoft announced the release of a micropatch that fixes a local privilege escalation (LPE) vulnerability in Windows PsExec, the operating system management tool. PsExec functions as a fully interactive Telnet replacement that allows administrators to run programs on remote systems.

Apparently the vulnerability is caused by a second channel hijacking flaw that allows threat actors to trick PsExec into reopening a pipeline with a maliciously created name to grant it local system privileges. If the failure is successfully exploited, threat actors will be able to execute arbitrary processes on the local system, taking full control of the device.

Mitja Kolsek, cybersecurity specialist at 0patch, mentions that any Windows computer running tools using PsExec is vulnerable to these attacks.

The flaw was revealed in early December 2020, once 90 days were met that the report was sent to Microsoft: “This local privilege escalation failure allows threat actors to take control of the target system remotely.” The flaw affects multiple versions of Windows, from XP to Windows 10. In addition, experts discovered that the affected flaw is present in virtually any version of PsExec released since 2006.

The following video shows a test of how this patch prevents the exploitation of this flaw. Kolsek mentions that corrections are free and were fully developed by 0patch.

“This vulnerability allows an attacker who can already run code on their remote computer as a non-administrator to elevate their privileges to the local system and fully control the machine as soon as someone uses PsExec against that machine,” the expert concluded. This applies to the latest 32-bit and 64-bit PsExec, but could be moved to earlier versions of PsExec depending on user feedback.