PoC Released for Unpatched Windows Vulnerability Present Since 2006

Details and a proof-of-concept (PoC) exploit have been released for an unpatched privilege escalation vulnerability in Windows related to the PsExec administration tool.

The vulnerability was discovered by Tenable researcher David Wells and it was disclosed this week after Microsoft failed to release a patch within 90 days.

Microsoft has not said when or if it will patch the vulnerability, but the tech giant pointed out that “this technique requires an attacker to have already compromised the target machine to run malicious code.”

“We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers,” Microsoft told SecurityWeek in an emailed statement.

According to Wells, the vulnerability is a local privilege escalation issue that can be exploited by a non-admin process to elevate privileges to SYSTEM when PsExec is executed remotely or locally on the targeted computer.

The security hole has been found to impact Windows versions between Windows XP and Windows 10, and PsExec versions between 2.2 (the latest) and 1.7.2 (released in 2006).

PsExec, which is part of the Windows Sysinternals utilities suite, allows users to execute processes on remote Windows systems without the need to install third-party software.

Wells noted that PsExec contains an embedded resource named PSEXESVC that is executed on a remote machine with SYSTEM privileges when the PsExec client is used.

“Communication between the PsExec client and the remote PSEXESVC service takes place over named pipes. Specifically, the pipe named ‘PSEXESVC,’ is responsible for parsing and executing the PsExec client’s commands, such as ‘which application to execute,’ ‘relevant command line data,’ etc,” the researcher explained.

While normally low-privileged users are not granted read/write access to this PSEXESVC pipe, Wells discovered that an attacker can use a technique known as “pipe squatting” to achieve this goal. This involves the attacker creating the PSEXESVC named pipe before the PSEXESVC process is executed, which results in the attacker gaining read/write access to the pipe, allowing their low-privileged app to communicate with PSEXESVC over this pipe and get executed with SYSTEM privileges.

If an attacker were to exploit the vulnerability, they would need to gain low-privileged access to the targeted system, deploy their malicious app, create a PSEXESVC pipe, and wait for the targeted user to execute PsExec, either locally or remotely. This last requirement can make the security flaw less likely to be exploited in real world attacks.

Wells has published a blog post containing technical details and a PoC exploit has been made available on GitHub.

Related: Out-of-Band Update Patches Privilege Escalation Flaws in Windows 8.1, Server 2012

Related: Windows Vulnerabilities Exploited for Code Execution, Privilege Escalation

Related: Games in Microsoft Store Can Be Abused for Privilege Escalation on Windows