take for example Linux, connect to ssh using a known regular user, then use a located binary which give you root? is it RCE or LPE?
-
-
Replying to @0x_saudi @GossiTheDog and
As an account that can't normally run code (say, the "nobody" user), then yes, it's a vulnerability.
1 reply 0 retweets 0 likes -
Replying to @iagox86 @GossiTheDog and
it is indeed, but is it RCE or LPE?
1 reply 0 retweets 0 likes -
Replying to @0x_saudi @GossiTheDog and
If a user without login rights can run code remotely because of a coding flaw? That says RCE to me.
1 reply 0 retweets 0 likes -
Replying to @iagox86 @GossiTheDog and
good! so if its require a login as mentioned in below image, why consider it as RCE?pic.twitter.com/kqX3wt7Hs8
1 reply 0 retweets 0 likes -
Replying to @0x_saudi @GossiTheDog and
Because the login isn't supposed to grant code execution. Elsewhere we've called it "remote privilege escalation", but I still maintain that "authenticated RCE" is valid
1 reply 0 retweets 1 like -
Replying to @iagox86 @GossiTheDog and
first time i heard "authenticated RCE", nice finding, nice term
1 reply 0 retweets 0 likes -
Replying to @0x_saudi @GossiTheDog and
I used to write plugins for a vulnerability scanner for my job. Authenticated RCE or post-auth RCE was a common enough term. Just a vuln in an app after logging in.
1 reply 0 retweets 0 likes -
Replying to @iagox86 @GossiTheDog and
it seems we are fighting on terms, other than that its a great exploit ;)
1 reply 0 retweets 0 likes -
Replying to @0x_saudi @GossiTheDog and
Indeed! I was chatting with
@edskoudis this morning, and we likened it to calling a client-side exploit an RCE. There's an extra step - a user clicking on it - but client-side vulns are still considered RCE by most. I might write a blog/essay on this style of post-auth vuln. :)1 reply 0 retweets 0 likes
It's not really the same, a post-auth RCE in RDP or SSH is not a bug. A post-auth RCE in IMAP is a bug, it's not expected that an email account allows code execution. You can configure forcecommand=Xorg, but that's not a post-auth RCE in Xorg, right? It's an LPE.
-
-
I think you think we're all new to this concept of post-auth vs pre-auth RCE, but that's not it!
1 reply 0 retweets 0 likes -
I don't see this as different from any post-auth bug. The svcctl interface is just that - an interface. This is a programming bug in a program that happens to be available via svcctl, for omitting proper parameter checks. Not really admin functionality at all!
1 reply 0 retweets 0 likes - 10 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.