Guest Posted January 11, 2021 Posted January 11, 2021 (edited) For more info see the article below: https://www.bleepingcomputer.com/news/security/windows-psexec-zero-day-vulnerability-gets-a-free-micropatch/ Quote ....While researching the vulnerability and creating a proof-of-concept, Wells was able to confirm that the zero-say affects multiple Windows versions from Windows XP up to Windows 10...... Just today PsExec.exe v.2.21 is out: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec After downloading the tool I discovered that the version of PsExec.exe is v.2.30. Although in the system requirements is specified from Windows Vista onwards through CFF Explorer I discovered that in: Quote Optional Header: Major Operating systemversion = 5 Major subsystem version = 5 so it can also run with Windows XP. I use PsExec in my Windows XP pc with the command: psexec -l -d To run New Moon 28 and MailNews as with limited-user privileges. I have installed in my browser New Moon 28 the extension IsAdmin and I have verified that the tool works. Probably,considering that the new version of PsExec.exe was released very quickly after the vulnerability was made public,this new version fixes the above specified vulnerability: Quote ....He also found that it impacts multiple PsExec version, starting with v1.72 released back in 2006 and ending with PsExec v2.2..... Edited January 11, 2021 by Sampei.Nihira
dencorso Posted January 11, 2021 Posted January 11, 2021 Why not use PAExec instead? It's redistributable and supported... https://www2.poweradmin.com/paexec/
Guest Posted January 12, 2021 Posted January 12, 2021 (edited) 1) PAExec does not encrypt the data: https://github.com/poweradminllc/PAExec/issues/31 Even the officially supported version for XP (v. 2.11) encrypts data. 2) Development seems to have stopped many years ago .... too many. It would be interesting to find out which version of PsExec.exe is embedded in the latest version of PAExec 1.28. 3) It probably suffers from the same vulnerability discovered recently. Edited January 12, 2021 by Sampei.Nihira
jaclaz Posted January 12, 2021 Posted January 12, 2021 I think I'll sleep well as always tonight. Quote Q: Is this vulnerability a big deal? A: Depends on your threat model. This vulnerability allows an attacker who can already run code on your remote computer as a non-admin (e.g., by logging in as a regular Terminal Server user, or establishing an RDP session as a domain user, or breaking into a vulnerable unprivileged service running on the remote computer) to elevate their privileges to Local System and completely take over the machine as soon as anyone uses PsExec against that machine. For home users and small businesses this is probably not a high-priority threat, while for large organizations it may be. from: https://blog.0patch.com/2021/01/local-privilege-escalation-0day-in.html jaclaz
Guest Posted January 12, 2021 Posted January 12, 2021 (edited) You do well. I've been sleeping well since last Friday. https://www.wilderssecurity.com/threads/0patch.386344/page-4#post-2981136 However, this warning thread + solution might be useful to some other MSFN member. Edited January 12, 2021 by Sampei.Nihira
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now