View my documents ()
 Home > Support > Global Security Advisor 

Vulnerability Detail

Sysinternals PsTools utilities share mapping vulnerability

Date Discovered:
15 Jul 2004

Date Published:
15 Jul 2004

Last Updated:
18 Oct 2004

Threat Assessment

Overall Risk:  Medium
Popularity : Medium
Impact:  Critical
Simplicity:  Low

Characteristics

Vulnerability ID:  28304
Discovered By:  Alan Ridgeway of Computer Associates

Exploitable Locally:  No
Exploitable Remotely:  Yes

Impact:  An attacker with a user account can execute arbitrary code as administrator on a remote machine.

Root Cause:  Insecure Design

Description
Recommendations
Affected Technologies
References
 

Description

Sysinternals PsTools utilities contain a vulnerability which allows a local attacker to gain privileged access on a remote host. Several PsTool utilities map the IPC$ or ADMIN$ share to execute a command on a remote host. However, the PsTool utilities do not disconnect from the IPC$ or ADMIN$ share when the program exits. An attacker can use the existing share mapping to take administrative actions on a remote machine. In order to exploit the issue, an affected PsTools utility must first be successfully run on a remote host by a legitimate user and the user must not reboot the host or logoff. This is a non-priority technology vulnerability.

Back to top

Recommendations

Sysinternals PsTools

Upgrade to version 2.05 or later.

http://www.sysinternals.com/ntw2k/freeware/pstools.shtml

PsExec:

Upgrade to version 1.54 or later.

http://www.sysinternals.com/ntw2k/freeware/psexec.shtml

PsGetsid

Upgrade to version 1.41 or later.

http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml

PsInfo

Upgrade to version 1.61 or later.

http://www.sysinternals.com/ntw2k/freeware/psinfo.shtml

PsKill

Upgrade to version 1.03 from PsTools 2.05 or later.

http://www.sysinternals.com/ntw2k/freeware/pskill.shtml

PsList

Upgrade to version 1.26 or later.

http://www.sysinternals.com/ntw2k/freeware/pslist.shtml

PsLoglist

Upgrade to version 2.51 or later.

http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml

PsPasswd

Upgrade to version 1.21 from PsTools 2.05 or later.

http://www.sysinternals.com/ntw2k/freeware/pspasswd.shtml

PsService

Upgrade to version 2.12 or later.

http://www.sysinternals.com/ntw2k/freeware/psservice.shtml

PsSuspend

Upgrade to version 1.05 or later.

http://www.sysinternals.com/ntw2k/freeware/pssuspend.shtml

PsShutdown

Upgrade to version 2.32 or later.

http://www.sysinternals.com/ntw2k/freeware/psshutdown.shtml

Alternatively, use the following workaround solutions

1) After running an affected pstool, type "net use" to see the mapping to IPC$ or ADMIN$. Delete the mapping with:

net use \\\IPC$ /delete

or

net use \\\ADMIN$ /delete

2) Logoff the user or reboot the machine

Back to top

Affected Technologies

Sysinternals: psexec 1.52
Sysinternals: psgetsid 1.4
Sysinternals: psinfo 1.5
Sysinternals: pskill 1.03
Sysinternals: pslist 1.25
Sysinternals: psloglist 2.5
Sysinternals: pspasswd 1.21
Sysinternals: psservice 2.1
Sysinternals: psshutdown 2.31
Sysinternals: pssuspend 1.04
Sysinternals: PsTools 2.01
Sysinternals: PsTools 2.02
Sysinternals: PsTools 2.03

Back to top

References

Mitre CVE: CVE-2002-2270

Back to top

CA Global Security Advisor

Current threat condition: Low
Low
Documents and Tools
Find Threats
Viruses Spyware
Vulnerabilities All
 
 
Page Tools
ShareShare