C:\ProgramData is where "secure" SYSTEM processes go to die.
-
-
Replying to @enigma0x3
Will Dormann Retweeted Will Dormann
Will Dormann added,
Will Dormann @wdormannCisco Webex has a service that runs with LocalSystem privileges, yet the directory and EXE are both writable by a normal user. LPE! https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe … You can check your systems for similar vulnerabilities using a python script that I put together: https://gist.github.com/wdormann/db533d84df57a70e9580a6a2127e33bb … pic.twitter.com/jB01CaTa8p2 replies 2 retweets 0 likes -
Replying to @wdormann @enigma0x3
This is not "WebExec", right? 'cause that vuln had 3 versions: Original, Reloaded and Revolutions!!
But it wasn't in %Programdata% (or %ALLUSERSPROFILE%)1 reply 0 retweets 0 likes -
Replying to @MCKSysAr @enigma0x3
If you refer to the screenshot, the EXE is in C:\ProgramData\..., and is writable by normal users.
1 reply 0 retweets 0 likes
Oh, sorry, re-reading your tweet. No, there were several issues around the same time with WebEx. WebExec was something that didn't rely on weak ACLs of the service binary. It used the built-in capability of the code to execute user-provided code, as SYSTEM.
12:24 PM - 25 Jun 2019
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.