Local Privilege Escalation on Citrix Secure Access client for Windows

Jul 11, 2023

CVE Number

CVE-2023-24491

Credits

Rilke Petrosky of Pentraze Cybersecurity

Summary

We’ve discovered a Loca Privilege Escalation vulnerability in the Citrix Secure Access client for Windows allowing an unprivileged local users to execute programs in the context of the NT AUTHORITY\System user.

The following supported versions are affected by the vulnerability:

  • Versions before 23.5.1.3

CVSS

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

The Citrix Secure Access elevated service process (nsverctl.exe) provides an In-proc RPC server through a COM interface that can be abused from the Citrix NS client (nsload.exe) to call privilege operations such as arbitrary Windows registry read and write access, and service update and uninstallation.

Before allowing calls to the COM interface, the client application must authenticate by sending a key over the service process’ named pipe (\\pipe\CitrixNgServer), triggering a code signature validation with Windows WinVerifyTrust function.

We’ve found some ways to bypass the file integrity and WinVerifyTrust code signature check, as this function only verifies the file on disk and disregards memory modifications.

Our exploit patches the client application and injects a DLL in order to alter the execution flow, abuse the CnsServer::ns_serverregapi function to modify the uninstall command (SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\(product-key)\UninstallString), and then call the uninstall procedure (CnsServer::ns_LaunchUninstaller) which runs in the context of the NT AUTHORITY\SYSTEM user.

Even thought the server authenticates the client executable through code signing and unique hash shared through named pipes, and regardless of it’s recent CFI and CFG mitigations, it is still possible to inject code into the running process and thus hijack the service and network driver control.

Exploit Chain:

  1. Inject exploit DLL into client application (NSload.exe).

  2. Abuse the CnsServer::ns_serverregapi registry writing functions to replace the uninstall program string with the exploit code found on SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\(product-key)\UninstallString

  3. Force the client’s execution flow to call the CnsServer::ns_LaunchUninstaller function, triggering an elevated execution of the exploit program.

Servicios

Pruebas de Penetración

Evaluación proactiva utilizando tácticas, técnicas y procedimientos de atacantes reales para identificar fallas de seguridad, configuraciones incorrectas y vulnerabilidades.

Más información

Seguridad de Aplicaciones

Protección integral de aplicaciones, garantizando la seguridad en todas las fases del desarrollo.

Más información

Ejercicios de Red Team

Simulación avanzada de ataques cibernéticos para evaluar y mejorar la capacidad de respuesta de una organización.

Más información

Gestión de Vulnerabilidades

Proceso proactivo para identificar, priorizar y abordar las vulnerabilidades de seguridad en sistemas y software, mejorando la defensa de una organización contra las amenazas cibernéticas en evolución.

Más información