NETWRIX AUDITOR ADVISORY SUMMARY
The following document describes identified vulnerabilities in the Netwrix Auditor application in supported versions prior to 10.5.
Auditor is IT auditing software used to track assets within an organization. The product’s official website is https://www.netwrix.com/auditor.html. The latest version of the application is 10.5, released on June 6, 2022.
1 vulnerability was identified within the Netwrix Auditor application:
- Insecure Object Deserialization
These vulnerabilities are described in the following sections.
All supported versions prior to 10.5
Summary of Findings
The Netwrix Auditor application is affected by an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the affected service. This issue is caused by an unsecured .NET remoting port accessible on TCP port 9004.
An attacker can use this issue to achieve arbitrary code execution on servers running Netwrix Auditor. Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain.
Update to version 10.5
Insecure Object Deserialization
Netwrix Auditor is vulnerable to an insecure object deserialization issue that is caused by an unsecured .NET remoting service. An attacker can submit arbitrary objects to the application through this service to achieve remote code execution on Netwrix Auditor servers.
CVE ID: CVE-2022-31199
Vulnerability Type: Insecure Object Deserialization
Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)
Impact: ☒ Code execution, ☐ Denial of service, ☒ Escalation of privileges, ☐ Information disclosure, ☐ Other (if other, please specify)
Security Risk: ☒ Critical, ☐ High, ☐ Medium, ☐ Low
The Netwrix Auditor application is affected by an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the affected service. In a typical real-world scenario, Netwrix Auditor services would be running with a highly privileged account, which could lead to full compromise of the Active Directory environment.
This issue was discovered by performing a TCP port scan of a Netwrix Auditor server using the tool nmap. As the following output demonstrates, the Netwrix server had a .NET remoting service available on TCP port 9004:
FIGURE 1 -Scanning for services on Netwrix server
tasklist commands were used on the Netwrix server to find out which process was exposing the .NET remoting service:
FIGURE 2 – Identifying the .NET remoting service
Analyzing the .NET remoting service revealed that it could be accessed with the
UAVRServer endpoint. The
ysoserial.net tool was used to generate a serialized object designed to execute the command
whoami on the server under the context of
FIGURE 3 – Generating a serialized object
ExploitRemotingService tool was then used to send the serialized object to the
UAVRServer service over .NET remoting. The resulting exception was an indicator that the payload was executed successfully:
FIGURE 4 – Sending the malicious object to the
Logging onto the server and inspecting the contents of C:\temp\out.txt showed that the command was executed successfully:
FIGURE 5 – Code executed through the .NET remoting service
Since the command was executed with
NT AUTHORITY\system privileges, exploiting this issue would allow an attacker to fully compromise the Netwrix server.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.