JavaScript is not available.

Hmmm, I think the video might be misleading... I think their argument is that any shell is privilege escalation, because psexec exists???

Jake Williams

@MalwareJake

Not sure I understand. The privesc binary seemingly creates a malicious 7z file that is then loaded to create the privilege escalation. Where does psexec come into this?

Tony

@tony_bridges_el

The psexec is really just the payload they chose to execute. The vulnerability is a heap overflow in 7z that allows arbitrary commands to hh, which has a known privilege escalation. They started as an unpriv user, 7z/hh allowed them to run as admin, psexec got them to system

I'm skeptical there is any heap overflow, I think it might just be some html with a 7z extension for some reason?

Like, how would a heap overflow in 7-zip only be reachable via the help viewer? I really think this is just a confused mess of jargon, and behind the scenes it's just WScript.shell + psexec, I'm not sure that's a vulnerability.

I asked them, but their explanation doesn't make much sense. I think I'm confident this CVE is going to be withdrawn.

Quote Tweet

Kağan

@kagancapar

· Apr 18

Replying to @taviso @jonasLyk and @MeAsHacker_HNA

No, there is a heap overflow here. Let me explain here that the command execution process takes place over the CHM file after a buffer overflow. The mistake 7-zip made here is that it calls the small process that occurs after calling the API ++

Kağan

@kagancapar

What is the part that doesn't make sense, are you an authority? I don't care if the CVE is withdrawn. It doesn't matter if you find this situation unreasonable. It's of no use to me. I don't need to prove myself to anyone. Respects.

I think you're mistaken that this is a vulnerability, you do need to prove it's legitimate if you want it fixed. It doesn't make sense because if there *was* a heap overflow, then why wouldn't the same bug be exploitable via CreateRemoteThread()?

Kağan

@kagancapar