You already have "remote code execution" as domain user then, the vulnerability just elevates your privileges to system. You can't exploit the vulnerability if you can't already execute commands on the machine... That's why it is an LPE, not RCE.
-
-
I disagree, it’s remote code execution because it allows remote code execution. But peeps can call it whatever they want, it’s all just noise.
1 reply 0 retweets 0 likes -
Hmm, I'm not trying to be argumentative, I respect your opinion, just trying to understand your reasoning. We agree that "psexec" is not an RCE vuln, right?
4 replies 0 retweets 10 likes -
Replying to @taviso @GossiTheDog and
My understanding is that you would effectively need psexec access to exploit this, do we agree on that?
1 reply 0 retweets 0 likes -
Nope. Nmap exploit module is here: https://svn.nmap.org/nmap/scripts/smb-webexec-exploit.nse …
2 replies 0 retweets 1 like -
I read it, but I can't get past this "Given a Windows account (local or domain), this will start an arbitrary executable" , that requirement means it misses the bar for RCE for me.
2 replies 0 retweets 7 likes -
Replying to @taviso @GossiTheDog and
/cc
@iagox86 who can maybe educate me!
1 reply 0 retweets 1 like -
Replying to @taviso @GossiTheDog and
My understanding (not being a Windows guy) is that with an unprivileged local / domain account, you can't do much against Windows (other than log in at a console). This gives you the ability to run code against a remote system that you otherwise couldn't.
2 replies 0 retweets 1 like -
Replying to @iagox86 @GossiTheDog and
AFAIK, it uses svcctl, which is also enough for psexec, no? If you consider psexec a vulnerability, then that would explain our terminology difference!
2 replies 0 retweets 2 likes -
I don’t think so, as you need admin rights to install the psexec service first.
1 reply 0 retweets 1 like
I suppose so. I guess I understand your perspective now, but I think LPE is still more accurate. But a very fun bug either way @iagox86 
-
-
Replying to @taviso @GossiTheDog and
Correct, the point that makes it arguably RCE is that _any_ user will do, admin or not. Think one phished user account used to get system on any internal box (whether it's the one that got phished or not) with vulnerable versions installed.
1 reply 0 retweets 0 likes -
Replying to @jeffmcjunkin @GossiTheDog and
Hmmm, not 100% sure I understand that logic. That is usually the standard for LPE, no? Any account access can gain additional privilege?
4 replies 0 retweets 4 likes - 30 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.