Join Us For A Special Livestream From DEF CON 30. Watch Live Friday, August 12 | 10AM - 5PM ›

Security Vulnerability Gauge showing a critical severity reading

Share

NETWRIX AUDITOR ADVISORY SUMMARY

The following document describes identified vulnerabilities in the Netwrix Auditor application in supported versions prior to 10.5.

Product Vendor

Netwrix

Product Description

Auditor is IT auditing software used to track assets within an organization. The product’s official website is https://www.netwrix.com/auditor.html. The latest version of the application is 10.5, released on June 6, 2022.

Vulnerabilities List

1 vulnerability was identified within the Netwrix Auditor application:

  • Insecure Object Deserialization

These vulnerabilities are described in the following sections.

Affected Version

All supported versions prior to 10.5

Summary of Findings

The Netwrix Auditor application is affected by an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the affected service. This issue is caused by an unsecured .NET remoting port accessible on TCP port 9004.

Impact

An attacker can use this issue to achieve arbitrary code execution on servers running Netwrix Auditor. Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain.

Solution

Update to version 10.5

Insecure Object Deserialization

Netwrix Auditor is vulnerable to an insecure object deserialization issue that is caused by an unsecured .NET remoting service. An attacker can submit arbitrary objects to the application through this service to achieve remote code execution on Netwrix Auditor servers.

Vulnerability Details

CVE ID: Pending

Vulnerability Type: Insecure Object Deserialization

Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)

Impact: ☒ Code execution, ☐ Denial of service, ☒ Escalation of privileges, ☐ Information disclosure, ☐ Other (if other, please specify)

Security Risk: ☒ Critical, ☐ High, ☐ Medium, ☐ Low

Vulnerability: CWE-502

The Netwrix Auditor application is affected by an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the affected service. In a typical real-world scenario, Netwrix Auditor services would be running with a highly privileged account, which could lead to full compromise of the Active Directory environment.

This issue was discovered by performing a TCP port scan of a Netwrix Auditor server using the tool nmap. As the following output demonstrates, the Netwrix server had a .NET remoting service available on TCP port 9004:

Screenshot of the TCP port scan of a Netwrix Auditor Server

FIGURE 1 -Scanning for services on Netwrix server

The netstat and tasklist commands were used on the Netwrix server to find out which process was exposing the .NET remoting service:

Screenshot of code showing the identification of the .NET remoting service.

FIGURE 2 – Identifying the .NET remoting service

Analyzing the .NET remoting service revealed that it could be accessed with the UAVRServer endpoint. The ysoserial.net tool was used to generate a serialized object designed to execute the command whoami on the server under the context of UAVRServer.exe:

screenshot of code showing how The ysoserial.net tool was used to generate a serialized object designed to execute the command whoami

FIGURE 3 – Generating a serialized object

The ExploitRemotingService tool was then used to send the serialized object to the UAVRServer service over .NET remoting. The resulting exception was an indicator that the payload was executed successfully:

Screenshot of code showing the result and how an exception was an indicator that the payload was executed successfully.

FIGURE 4 – Sending the malicious object to the UAVRServer service

Logging onto the server and inspecting the contents of C:\temp\out.txt showed that the command was executed successfully:

Screenshot showing how the code was executed through the .NET remoting service.

FIGURE 5 – Code executed through the .NET remoting service

Since the command was executed with NT AUTHORITY\system privileges, exploiting this issue would allow an attacker to fully compromise the Netwrix server.


Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Default fox headshot purple

About the author, Jordan Parkin

Senior Security Consultant

Jordan Parkin (OSCP, OSWP) is a Senior Security Consultant for Bishop Fox, where he focuses on web and mobile application assessments, network penetration testing, and embedded systems security. Jordan has worked for Fortune 500 companies across a wide range of industries, including finance, healthcare, technology, and manufacturing.

More by Jordan

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.