Local Privilege Escalation on Citrix Secure Access client for Windows

Jul 11, 2023

CVE Number

CVE-2023-24491

Credits

Rilke Petrosky of Pentraze Cybersecurity

Summary

We’ve discovered a Loca Privilege Escalation vulnerability in the Citrix Secure Access client for Windows allowing an unprivileged local users to execute programs in the context of the NT AUTHORITY\System user.

The following supported versions are affected by the vulnerability:

  • Versions before 23.5.1.3

CVSS

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

The Citrix Secure Access elevated service process (nsverctl.exe) provides an In-proc RPC server through a COM interface that can be abused from the Citrix NS client (nsload.exe) to call privilege operations such as arbitrary Windows registry read and write access, and service update and uninstallation.

Before allowing calls to the COM interface, the client application must authenticate by sending a key over the service process’ named pipe (\\pipe\CitrixNgServer), triggering a code signature validation with Windows WinVerifyTrust function.

We’ve found some ways to bypass the file integrity and WinVerifyTrust code signature check, as this function only verifies the file on disk and disregards memory modifications.

Our exploit patches the client application and injects a DLL in order to alter the execution flow, abuse the CnsServer::ns_serverregapi function to modify the uninstall command (SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\(product-key)\UninstallString), and then call the uninstall procedure (CnsServer::ns_LaunchUninstaller) which runs in the context of the NT AUTHORITY\SYSTEM user.

Even thought the server authenticates the client executable through code signing and unique hash shared through named pipes, and regardless of it’s recent CFI and CFG mitigations, it is still possible to inject code into the running process and thus hijack the service and network driver control.

Exploit Chain:

  1. Inject exploit DLL into client application (NSload.exe).

  2. Abuse the CnsServer::ns_serverregapi registry writing functions to replace the uninstall program string with the exploit code found on SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\(product-key)\UninstallString

  3. Force the client’s execution flow to call the CnsServer::ns_LaunchUninstaller function, triggering an elevated execution of the exploit program.

Services

Penetration Testing

Proactive assessment using tactics, techniques, and procedures of actual attackers to identify security flaws, incorrect configurations, and vulnerabilities.

Learn more

Application Security Testing

Comprehensive application protection, ensuring robust security throughout the entire software development lifecycle.

Learn more

Red Team Exercises

Simulate and emulate advanced cyber attacks to pinpoint vulnerabilities and test your organization's defense mechanisms, ensuring robust resilience against real-world threats.

Learn more

Vulnerability Management

Proactive process to identify, prioritize, and address security vulnerabilities in systems and software, enhancing an organization's defense against evolving cyber threats.

Learn more