Zscaler Client Connector Zero-interaction Privilege Escalation Vulnerability

A brand unusual privilege escalation vulnerability has been learned in Zscaler Shopper Connector, combining three different vulnerabilities.

The three vulnerabilities were linked with Reverting password test (CVE-2023-41972), arbitrary code execution (CVE-2023-41973), and Arbitrary File Deletion (CVE-2023-41969).

Although these vulnerabilities are low-stage and bypassed, combining them escalates a risk actor from a outmoded particular person privilege to a high-privileged NT AUTHORITYSYSTEM provider myth on Windows.

Then over again, these vulnerabilities like been fastened by Zscaler Shopper Connector on their most up to the moment variations.

Technical Diagnosis

In preserving with the researchers, Zscaler Shopper Connector is a local Desktop consumer that can connect Zscaler’s various community tunnels.

This Zscaler Shopper Connector consists of two major processes: ZSATray and ZSATrayManager.

ZSATrayManager runs as a provider with NT AUTHORITYSYSTEM and handles community administration, configuration enforcement, and updates.

ZSATray is a entrance-terminate application constructed on the .NET Framework. It and ZSATrayManager exercise Microsoft A ways-off Route of Call (RPC) with ZSATrayHelper.dll, which contains the sendZSATrayManagerCommand methodology.

Then over again, Zscaler implements RPC call validations to place definite that these RPC calls are made of trusted processes.

This test is finished in two techniques: Route of ID validation and Caller Route of Validation.

In actual fact, Zscaler is finished so as that if any PID hash exists in the ZSATrayManager cache memory, these two validations will even be bypassed.

As but every other probability to this, Route of Injection can additionally be former by injecting the particular person-owned ZSATray.exe job to spin arbitrary code.

This job will spin the total security assessments nonetheless it completely is complicated to discontinue because ZSATray is a .NET meeting with managed code.

CVE-2023-41972: Revert Password Test Flawed Sort Validation

Because the RPC call test is bypassed from the above steps, the next step is discovering the supported RPC functions that will even be leveraged to kind privilege escalation.

Zscaler has finished additional authentication for some functions, just like the PERFORM_APP_REVERT.

This option reverts the ZScaler Shopper Connector to a previous version using an older installer.

Furthermore, the feature additionally accepts previousInstallerName, pwdType, and password as arguments. Then over again, the feature will most productive discontinue if the resplendent password is provided.

Extra diagnosis revealed that ZSATrayManager would no longer test if pwdType fits PASSWORD_TYPE.ZCC_REVERT_PWD procedure that the password test feature will have faith any pwdType handed by strategy of the RPC.

Subsequently, this option will even be bypassed by setting pwdType in the RPC to SHOW_ADVANCED_SETTINGS.

CVE-2023-41973: Lack Of Enter Sanitization On Zscaler Shopper Connector

On diving deep into the PERFORM_APP_REVERT feature, it was learned that the feature accepts previousInstallerName as an argument, which is appended to C:Program DataZScalerRevertZcc that is once in a while assign to {VERSION NUMBER}.exe.

The execution of the file is finished by the ZSATrayManager at this path as NT AUTHORITYSYSTEM. To exploit this, a risk actor can supply a path traversal string akin to ……{ATTACKER-CONTROLLED PATH} to discontinue the payload.

In addition, DLL Hijacking is additionally finished with ZSAService, which results in arbitrary code execution. This in the end ends up in gaining NT AUTHORITYSYSTEM privilege.

To repair these vulnerabilities, customers of Zscaler Shopper Connector are suggested to reinforce their variations to 4.2.0.209 / 4.3.0.121 or higher.