CVE-2023-24491

Local Privilege Escalation on Citrix Secure Access client for Windows

Jul 11, 2023

CVE Number

CVE-2023-24491

Credits

Rilke Petrosky of Pentraze Cybersecurity

Summary

We’ve discovered a Local Privilege Escalation vulnerability in the Citrix Secure Access client for Windows allowing unprivileged local users to execute programs in the context of the NT AUTHORITY\System user.

The following supported versions are affected by the vulnerability:

  • Versions before 23.5.1.3

CVSS

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

The Citrix Secure Access elevated service process (nsverctl.exe) provides an In-proc RPC server through a COM interface that can be abused from the Citrix NS client (nsload.exe) to call privilege operations such as arbitrary Windows registry read and write access, and service update and uninstallation.

Before allowing calls to the COM interface, the client application must authenticate by sending a key over the service process’ named pipe (\\pipe\CitrixNgServer), triggering a code signature validation with Windows WinVerifyTrust function.

We’ve found some ways to bypass the file integrity and WinVerifyTrust code signature check, as this function only verifies the file on disk and disregards memory modifications.

Our exploit patches the client application and injects a DLL in order to alter the execution flow, abuse the CnsServer::ns_serverregapi function to modify the uninstall command (SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\(product-key)\UninstallString), and then call the uninstall procedure (CnsServer::ns_LaunchUninstaller) which runs in the context of the NT AUTHORITY\SYSTEM user.

Even though the server authenticates the client executable through code signing and unique hash shared through named pipes, and regardless of its recent CFI and CFG mitigations, it is still possible to inject code into the running process and thus hijack the service and network driver control.

Exploit Chain:

  1. Inject exploit DLL into client application (NSload.exe).

  2. Abuse the CnsServer::ns_serverregapi registry writing functions to replace the uninstall program string with the exploit code found on SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\(product-key)\UninstallString

  3. Force the client’s execution flow to call the CnsServer::ns_LaunchUninstaller function, triggering an elevated execution of the exploit program.

Volver a la Lista

¿Ver el sitio en español?