Due to a vulnerability in the Sysinternals PsTools share mapping, an attacker with a user account can execute arbitrary code as an administrator.
afa2b3db99139b18f9779cb16ab7ebf5920c2aaf5e39becbcf6b41bd48024acf
Sysinternals PsTools utilities share mapping vulnerability
*Date Discovered: *July 15, 2004
*Date Published: *July 15, 2004
*Last Updated: *July 15, 2004
Vulnerability Description
*Vulnerability ID: *28304
*Discovered by: *Alan Ridgeway of Computer Associates
*Exploitable Locally: *No
*Exploitable Remotely: *Yes
*Impact: *An attacker with a user account can execute arbitrary code as administrator on a remote machine.
*Root Cause: *Insecure Design
Sysinternals PsTools utilities contain a vulnerability which allows a
local attacker to gain privileged access on a remote host. Several
PsTool utilities map the IPC$ or ADMIN$ share to execute a command on a
remote host. However, the PsTool utilities do not disconnect from the
IPC$ or ADMIN$ share when the program exits. An attacker can use the
existing share mapping to take administrative actions on a remote
machine. In order to exploit the issue, an affected PsTools utility must
first be successfully run on a remote host by a legitimate user and the
user must not reboot the host or logoff. This is a non-priority
technology vulnerability.
Recommendations <#recommendations>
Affected Technologies <#affected>
References <#references>
Recommendations
Sysinternals PsTools
Upgrade to version 2.05 or later.
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
PsExec:
Upgrade to version 1.54 or later.
http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
PsGetsid
Upgrade to version 1.41 or later.
http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml
PsInfo
Upgrade to version 1.61 or later.
http://www.sysinternals.com/ntw2k/freeware/psinfo.shtml
PsKill
Upgrade to version 1.03 from PsTools 2.05 or later.
http://www.sysinternals.com/ntw2k/freeware/pskill.shtml
PsList
Upgrade to version 1.26 or later.
http://www.sysinternals.com/ntw2k/freeware/pslist.shtml
PsLoglist
Upgrade to version 2.51 or later.
http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml
PsPasswd
Upgrade to version 1.21 from PsTools 2.05 or later.
http://www.sysinternals.com/ntw2k/freeware/pspasswd.shtml
PsService
Upgrade to version 2.12 or later.
http://www.sysinternals.com/ntw2k/freeware/psservice.shtml
PsSuspend
Upgrade to version 1.05 or later.
http://www.sysinternals.com/ntw2k/freeware/pssuspend.shtml
PsShutdown
Upgrade to version 2.32 or later.
http://www.sysinternals.com/ntw2k/freeware/psshutdown.shtml
Alternatively, use the following workaround solutions
1) After running an affected pstool, type "net use" to see the
mapping to IPC$ or ADMIN$. Delete the mapping with:
net use \\\IPC$ /delete
or
net use \\\ADMIN$ /delete
2) Logoff the user or reboot the machine
Return to top <#top>
Affected Technologies
Sysinternals: psexec 1.52
Sysinternals: psgetsid 1.4
Sysinternals: psinfo 1.5
Sysinternals: pskill 1.03
Sysinternals: pslist 1.25
Sysinternals: psloglist 2.5
Sysinternals: pspasswd 1.21
Sysinternals: psservice 2.1
Sysinternals: psshutdown 2.31
Sysinternals: pssuspend 1.04
Sysinternals: PsTools 2.01
Sysinternals: PsTools 2.02
Sysinternals: PsTools 2.03
Return to top <#top>
References
Mitre CVE: MAP-NOMATCH