Vulnerability Development mailing list archives
Re: generic privellage escalation
From: Valdis.Kletnieks () vt edu
Date: Fri, 02 Jan 2004 15:39:35 -0500
On Wed, 31 Dec 2003 18:00:06 EST, Ben Greenberg <benfallout2 () hotmail com> said:
-ability to execute commands one at a time statelessly through the url, and with a response to the browser ESCALATE TO a netcat created port for connecting to a shell -also is there any document with generically applicable php, asp, server side include command execution/privellage escalation?
Fortunately for us, there's no *generic* way to do it. Think about the implications if it were so. Usually, what's required is: 1) an initial break that allows commands. This probably *wont* have sufficient leverage by itself, unless the command you can run is 'sh | netcat' ;) 2) You then need to chain on OTHER issues and take tiny baby steps towards the goal. Not all tricks will work in all environments, so this really is a test-and-see problem. For one of the best "how it *really* works" in practice, see Liu Die Yu's "Six Step IE Remote Compromise Cache Attack". No one bug is enough, there's a lot of jumping through hoops.
Attachment:
_bin
Description:
Current thread:
- generic privellage escalation Ben Greenberg (Jan 02)
- Re: generic privellage escalation Valdis . Kletnieks (Jan 02)