It's not really the same, a post-auth RCE in RDP or SSH is not a bug. A post-auth RCE in IMAP is a bug, it's not expected that an email account allows code execution. You can configure forcecommand=Xorg, but that's not a post-auth RCE in Xorg, right? It's an LPE.
-
-
I think you think we're all new to this concept of post-auth vs pre-auth RCE, but that's not it!
1 reply 0 retweets 0 likes -
I don't see this as different from any post-auth bug. The svcctl interface is just that - an interface. This is a programming bug in a program that happens to be available via svcctl, for omitting proper parameter checks. Not really admin functionality at all!
1 reply 0 retweets 0 likes -
Yes, but you're imagining a configuration that gives svcctl access but not code execution. That's possible, but so is forcecommand=Xorg, at some point you need to say "requires local access" , or what even is an LPE?
1 reply 0 retweets 1 like -
For this vuln, WebEx really is configured to allow all local or domain users permissions to start the service, which is of course highly unusual. Normally that wouldn't be RCE, except for the service arguments
@iagox86 found the CMDi in.2 replies 0 retweets 0 likes -
Replying to @jeffmcjunkin @iagox86 and
We all understand the bug. I understand your argument, a user account could have limited access, but increasing your access is the definition of an LPE, no?
1 reply 0 retweets 1 like -
Sure, absolutely. On Windows, limited users don't get to execute code remotely (barring RDP via group membership). With this, you get actual code execution. On Linux code exec via SSH as non-root is common, not so in Windows.
1 reply 0 retweets 1 like -
Replying to @jeffmcjunkin @iagox86 and
Common or not, it's still an account with some privilege, which is "escalated", right?
2 replies 0 retweets 1 like -
Yup! Absolutely, this is also privilege escalation. Escalation all the way to code exec as system.
1 reply 0 retweets 0 likes -
Replying to @jeffmcjunkin @taviso and
A big part of why I don't want to lose the RCE label is like
@Meatballs__ was saying: if it's marked LPE only, people won't think it's useful for lateral movement and gaining privs inside an org, which isn't true.1 reply 0 retweets 0 likes
Hmm, I agree it's tough to communicate that concisely, I suppose it's fair to say that without further qualification, LPE overstates the level of access required.
-
-
Firm categories are hard sometimes. Thanks for the discussion. I still like RPE :) Okay, taking off for a 14 hour flight now. Thanks again!
1 reply 0 retweets 3 likes -
Replying to @jeffmcjunkin @taviso and
I just call it RCE because.. it provides remote code execution. When scoring with CVSS you can (and have to say) if it needs authentication or not, so category wise it is recorded and databased (eg at work this is searchable for us).
0 replies 0 retweets 1 like
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.