Because the login isn't supposed to grant code execution. Elsewhere we've called it "remote privilege escalation", but I still maintain that "authenticated RCE" is valid
-
-
Replying to @iagox86 @GossiTheDog and
first time i heard "authenticated RCE", nice finding, nice term
1 reply 0 retweets 0 likes -
Replying to @0x_saudi @GossiTheDog and
I used to write plugins for a vulnerability scanner for my job. Authenticated RCE or post-auth RCE was a common enough term. Just a vuln in an app after logging in.
1 reply 0 retweets 0 likes -
Replying to @iagox86 @GossiTheDog and
it seems we are fighting on terms, other than that its a great exploit ;)
1 reply 0 retweets 0 likes -
Replying to @0x_saudi @GossiTheDog and
Indeed! I was chatting with
@edskoudis this morning, and we likened it to calling a client-side exploit an RCE. There's an extra step - a user clicking on it - but client-side vulns are still considered RCE by most. I might write a blog/essay on this style of post-auth vuln. :)1 reply 0 retweets 0 likes -
It's not really the same, a post-auth RCE in RDP or SSH is not a bug. A post-auth RCE in IMAP is a bug, it's not expected that an email account allows code execution. You can configure forcecommand=Xorg, but that's not a post-auth RCE in Xorg, right? It's an LPE.
1 reply 1 retweet 3 likes -
I think you think we're all new to this concept of post-auth vs pre-auth RCE, but that's not it!
1 reply 0 retweets 0 likes -
I don't see this as different from any post-auth bug. The svcctl interface is just that - an interface. This is a programming bug in a program that happens to be available via svcctl, for omitting proper parameter checks. Not really admin functionality at all!
1 reply 0 retweets 0 likes -
Yes, but you're imagining a configuration that gives svcctl access but not code execution. That's possible, but so is forcecommand=Xorg, at some point you need to say "requires local access" , or what even is an LPE?
1 reply 0 retweets 1 like -
For this vuln, WebEx really is configured to allow all local or domain users permissions to start the service, which is of course highly unusual. Normally that wouldn't be RCE, except for the service arguments
@iagox86 found the CMDi in.2 replies 0 retweets 0 likes
We all understand the bug. I understand your argument, a user account could have limited access, but increasing your access is the definition of an LPE, no?
-
-
Sure, absolutely. On Windows, limited users don't get to execute code remotely (barring RDP via group membership). With this, you get actual code execution. On Linux code exec via SSH as non-root is common, not so in Windows.
1 reply 0 retweets 1 like -
Replying to @jeffmcjunkin @iagox86 and
Common or not, it's still an account with some privilege, which is "escalated", right?
2 replies 0 retweets 1 like - 5 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.