You already have "remote code execution" as domain user then, the vulnerability just elevates your privileges to system. You can't exploit the vulnerability if you can't already execute commands on the machine... That's why it is an LPE, not RCE.
-
-
I disagree, it’s remote code execution because it allows remote code execution. But peeps can call it whatever they want, it’s all just noise.
1 reply 0 retweets 0 likes -
Hmm, I'm not trying to be argumentative, I respect your opinion, just trying to understand your reasoning. We agree that "psexec" is not an RCE vuln, right?
4 replies 0 retweets 10 likes -
Replying to @taviso @GossiTheDog and
My understanding is that you would effectively need psexec access to exploit this, do we agree on that?
1 reply 0 retweets 0 likes -
Nope. Nmap exploit module is here: https://svn.nmap.org/nmap/scripts/smb-webexec-exploit.nse …
2 replies 0 retweets 1 like -
I read it, but I can't get past this "Given a Windows account (local or domain), this will start an arbitrary executable" , that requirement means it misses the bar for RCE for me.
2 replies 0 retweets 7 likes -
Replying to @taviso @GossiTheDog and
/cc
@iagox86 who can maybe educate me!
1 reply 0 retweets 1 like -
Replying to @taviso @GossiTheDog and
My understanding (not being a Windows guy) is that with an unprivileged local / domain account, you can't do much against Windows (other than log in at a console). This gives you the ability to run code against a remote system that you otherwise couldn't.
2 replies 0 retweets 1 like -
Replying to @iagox86 @GossiTheDog and
AFAIK, it uses svcctl, which is also enough for psexec, no? If you consider psexec a vulnerability, then that would explain our terminology difference!
2 replies 0 retweets 2 likes -
Replying to @taviso @GossiTheDog and
Psexec requires you to install a service, which means running OpenSCManager with SC_MANAGER_ALL_ACCESS. Webexec only requires you to start a service, which is a very small set of permissions (SC_MANAGER_CONNECT) - *any* local/domain user can do it with no special groups
1 reply 0 retweets 0 likes
Right, psexec needs an administrator to turn it on before it can be used. If it didn't, you would consider it an RCE?
-
-
Replying to @taviso @GossiTheDog and
Good question. I think intent is what makes the difference here - psexec means using the remote service service the way it's meant (which is why it's admin-only), whereas webexec is the result of a coding oversight.
1 reply 0 retweets 1 like -
I think if psexec worked for any local/domain user, it probably would be considered a vulnerability.
1 reply 0 retweets 0 likes - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.