Sysinternals PsTools utilities share mapping vulnerability

*Date Discovered: *July 15, 2004
*Date Published: *July 15, 2004
*Last Updated: *July 15, 2004


Vulnerability Description

*Vulnerability ID:  *28304 
*Discovered by:  *Alan Ridgeway of Computer Associates
*Exploitable Locally:  *No 
*Exploitable Remotely:  *Yes
*Impact:  *An attacker with a user account can execute arbitrary code as administrator on a remote machine.

*Root Cause:  *Insecure Design


Sysinternals PsTools utilities contain a vulnerability which allows a
local attacker to gain privileged access on a remote host. Several
PsTool utilities map the IPC$ or ADMIN$ share to execute a command on a
remote host. However, the PsTool utilities do not disconnect from the
IPC$ or ADMIN$ share when the program exits. An attacker can use the
existing share mapping to take administrative actions on a remote
machine. In order to exploit the issue, an affected PsTools utility must
first be successfully run on a remote host by a legitimate user and the
user must not reboot the host or logoff. This is a non-priority
technology vulnerability.

Recommendations <#recommendations>
Affected Technologies <#affected>
References <#references>


Recommendations

    Sysinternals PsTools

    Upgrade to version 2.05 or later.

    http://www.sysinternals.com/ntw2k/freeware/pstools.shtml

    PsExec:

    Upgrade to version 1.54 or later.

    http://www.sysinternals.com/ntw2k/freeware/psexec.shtml

    PsGetsid

    Upgrade to version 1.41 or later.

    http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml

    PsInfo

    Upgrade to version 1.61 or later.

    http://www.sysinternals.com/ntw2k/freeware/psinfo.shtml

    PsKill

    Upgrade to version 1.03 from PsTools 2.05 or later.

    http://www.sysinternals.com/ntw2k/freeware/pskill.shtml

    PsList

    Upgrade to version 1.26 or later.

    http://www.sysinternals.com/ntw2k/freeware/pslist.shtml

    PsLoglist

    Upgrade to version 2.51 or later.

    http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml

    PsPasswd

    Upgrade to version 1.21 from PsTools 2.05 or later.

    http://www.sysinternals.com/ntw2k/freeware/pspasswd.shtml

    PsService

    Upgrade to version 2.12 or later.

    http://www.sysinternals.com/ntw2k/freeware/psservice.shtml

    PsSuspend

    Upgrade to version 1.05 or later.

    http://www.sysinternals.com/ntw2k/freeware/pssuspend.shtml

    PsShutdown

    Upgrade to version 2.32 or later.

    http://www.sysinternals.com/ntw2k/freeware/psshutdown.shtml

    Alternatively, use the following workaround solutions

    1) After running an affected pstool, type "net use" to see the
    mapping to IPC$ or ADMIN$. Delete the mapping with:

    net use \\\IPC$ /delete

    or

    net use \\\ADMIN$ /delete

    2) Logoff the user or reboot the machine

    Return to top <#top>

Affected Technologies

    Sysinternals: psexec 1.52
    Sysinternals: psgetsid 1.4
    Sysinternals: psinfo 1.5
    Sysinternals: pskill 1.03
    Sysinternals: pslist 1.25
    Sysinternals: psloglist 2.5
    Sysinternals: pspasswd 1.21
    Sysinternals: psservice 2.1
    Sysinternals: psshutdown 2.31
    Sysinternals: pssuspend 1.04
    Sysinternals: PsTools 2.01
    Sysinternals: PsTools 2.02
    Sysinternals: PsTools 2.03

    Return to top <#top>

References

    Mitre CVE: MAP-NOMATCH