first time i heard "authenticated RCE", nice finding, nice term 
-
-
Replying to @0x_saudi @GossiTheDog and
I used to write plugins for a vulnerability scanner for my job. Authenticated RCE or post-auth RCE was a common enough term. Just a vuln in an app after logging in.
1 reply 0 retweets 0 likes -
Replying to @iagox86 @GossiTheDog and
it seems we are fighting on terms, other than that its a great exploit ;)
1 reply 0 retweets 0 likes -
Replying to @0x_saudi @GossiTheDog and
Indeed! I was chatting with
@edskoudis this morning, and we likened it to calling a client-side exploit an RCE. There's an extra step - a user clicking on it - but client-side vulns are still considered RCE by most. I might write a blog/essay on this style of post-auth vuln. :)1 reply 0 retweets 0 likes -
It's not really the same, a post-auth RCE in RDP or SSH is not a bug. A post-auth RCE in IMAP is a bug, it's not expected that an email account allows code execution. You can configure forcecommand=Xorg, but that's not a post-auth RCE in Xorg, right? It's an LPE.
1 reply 1 retweet 3 likes -
I think you think we're all new to this concept of post-auth vs pre-auth RCE, but that's not it!
1 reply 0 retweets 0 likes -
I don't see this as different from any post-auth bug. The svcctl interface is just that - an interface. This is a programming bug in a program that happens to be available via svcctl, for omitting proper parameter checks. Not really admin functionality at all!
1 reply 0 retweets 0 likes -
Yes, but you're imagining a configuration that gives svcctl access but not code execution. That's possible, but so is forcecommand=Xorg, at some point you need to say "requires local access" , or what even is an LPE?
1 reply 0 retweets 1 like -
For this vuln, WebEx really is configured to allow all local or domain users permissions to start the service, which is of course highly unusual. Normally that wouldn't be RCE, except for the service arguments
@iagox86 found the CMDi in.2 replies 0 retweets 0 likes -
Replying to @jeffmcjunkin @taviso and
Nearly all services have perms for admins only (local or remote). The non-standard permissions along with the CMDi is what gives code execution. Same as adding Domain Users to local Administrators group for Win <10
1 reply 0 retweets 0 likes
You don't need to explain windows to me, I've patched EPROCESS enough that I can memorize the offsets 
-
-
Oh, I have full respect for your Windows-fu!
I'm trying to keep the fanboy-ism to a minimum.0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.