Sampei.Nihira Posted January 11, 2021 Share Posted January 11, 2021 (edited) For more info see the article below: https://www.bleepingcomputer.com/news/security/windows-psexec-zero-day-vulnerability-gets-a-free-micropatch/ Quote ....While researching the vulnerability and creating a proof-of-concept, Wells was able to confirm that the zero-say affects multiple Windows versions from Windows XP up to Windows 10...... Just today PsExec.exe v.2.21 is out: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec After downloading the tool I discovered that the version of PsExec.exe is v.2.30. Although in the system requirements is specified from Windows Vista onwards through CFF Explorer I discovered that in: Quote Optional Header: Major Operating systemversion = 5 Major subsystem version = 5 so it can also run with Windows XP. I use PsExec in my Windows XP pc with the command: psexec -l -d To run New Moon 28 and MailNews as with limited-user privileges. I have installed in my browser New Moon 28 the extension IsAdmin and I have verified that the tool works. Probably,considering that the new version of PsExec.exe was released very quickly after the vulnerability was made public,this new version fixes the above specified vulnerability: Quote ....He also found that it impacts multiple PsExec version, starting with v1.72 released back in 2006 and ending with PsExec v2.2..... Edited January 11, 2021 by Sampei.Nihira Link to comment Share on other sites More sharing options...
dencorso Posted January 11, 2021 Share Posted January 11, 2021 Why not use PAExec instead? It's redistributable and supported... https://www2.poweradmin.com/paexec/ Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted January 12, 2021 Author Share Posted January 12, 2021 (edited) 1) PAExec does not encrypt the data: https://github.com/poweradminllc/PAExec/issues/31 Even the officially supported version for XP (v. 2.11) encrypts data. 2) Development seems to have stopped many years ago .... too many. It would be interesting to find out which version of PsExec.exe is embedded in the latest version of PAExec 1.28. 3) It probably suffers from the same vulnerability discovered recently. Edited January 12, 2021 by Sampei.Nihira Link to comment Share on other sites More sharing options...
jaclaz Posted January 12, 2021 Share Posted January 12, 2021 I think I'll sleep well as always tonight. Quote Q: Is this vulnerability a big deal? A: Depends on your threat model. This vulnerability allows an attacker who can already run code on your remote computer as a non-admin (e.g., by logging in as a regular Terminal Server user, or establishing an RDP session as a domain user, or breaking into a vulnerable unprivileged service running on the remote computer) to elevate their privileges to Local System and completely take over the machine as soon as anyone uses PsExec against that machine. For home users and small businesses this is probably not a high-priority threat, while for large organizations it may be. from: https://blog.0patch.com/2021/01/local-privilege-escalation-0day-in.html jaclaz Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted January 12, 2021 Author Share Posted January 12, 2021 (edited) You do well. I've been sleeping well since last Friday. https://www.wilderssecurity.com/threads/0patch.386344/page-4#post-2981136 However, this warning thread + solution might be useful to some other MSFN member. Edited January 12, 2021 by Sampei.Nihira Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now