September 25, 2023

PsExec is a fully interactive tool that allows system admins to execute programs on remote systems. PsExec tool is also integrated into and used by enterprise tools to remotely launch executables on other computers.

This PsExec zero-day is caused by a named pipe hijacking vulnerability which allows attackers to trick PsExec into re-opening a maliciously created named pipe and giving it Local System permissions.

After successfully exploiting the bug, threat actors will be able to execute arbitrary processes as Local System which effectively allows them to take over the machine.

Windows machine where “admins remotely launch executables on using PsExec if the machine already has a non-admin attacker there trying to elevate their privileges” is vulnerable to attacks attempting to exploit.

POC confirm that the zero-say affects multiple Windows versions from Windows XP up to Windows 10. Version starting from v1.72 to v2.2 has the issues

This vulnerability allows an attacker who can already run code on your remote computer as a non-admin to elevate their privileges to Local System and completely take over the machine as soon as anyone uses PsExec against that machine.

Home users and small businesses, this is probably not a high-priority threat, while for large organizations it should be a threat.

Leave a Reply

%d bloggers like this: