NETWRIX AUDITOR ADVISORY SUMMARY
The following document describes identified vulnerabilities in the Netwrix Auditor application in supported versions prior to 10.5.
Product Vendor
Netwrix
Product Description
Auditor is IT auditing software used to track assets within an organization. The product’s official website is https://www.netwrix.com/auditor.html. The latest version of the application is 10.5, released on June 6, 2022.
Vulnerabilities List
1 vulnerability was identified within the Netwrix Auditor application:
- Insecure Object Deserialization
These vulnerabilities are described in the following sections.
Affected Version
All supported versions prior to 10.5
Summary of Findings
The Netwrix Auditor application is affected by an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the affected service. This issue is caused by an unsecured .NET remoting port accessible on TCP port 9004.
Impact
An attacker can use this issue to achieve arbitrary code execution on servers running Netwrix Auditor. Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain.
Solution
Update to version 10.5
Insecure Object Deserialization
Netwrix Auditor is vulnerable to an insecure object deserialization issue that is caused by an unsecured .NET remoting service. An attacker can submit arbitrary objects to the application through this service to achieve remote code execution on Netwrix Auditor servers.
Vulnerability Details
CVE ID: CVE-2022-31199
Vulnerability Type: Insecure Object Deserialization
Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)
Impact: ☒ Code execution, ☐ Denial of service, ☒ Escalation of privileges, ☐ Information disclosure, ☐ Other (if other, please specify)
Security Risk: ☒ Critical, ☐ High, ☐ Medium, ☐ Low
Vulnerability: CWE-502
The Netwrix Auditor application is affected by an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the affected service. In a typical real-world scenario, Netwrix Auditor services would be running with a highly privileged account, which could lead to full compromise of the Active Directory environment.
This issue was discovered by performing a TCP port scan of a Netwrix Auditor server using the tool nmap. As the following output demonstrates, the Netwrix server had a .NET remoting service available on TCP port 9004:
FIGURE 1 -Scanning for services on Netwrix server
The netstat and tasklist commands were used on the Netwrix server to find out which process was exposing the .NET remoting service:
FIGURE 2 – Identifying the .NET remoting service
Analyzing the .NET remoting service revealed that it could be accessed with the UAVRServer endpoint. The ysoserial.net tool was used to generate a serialized object designed to execute the command whoami on the server under the context of UAVRServer.exe:
FIGURE 3 – Generating a serialized object
The ExploitRemotingService tool was then used to send the serialized object to the UAVRServer service over .NET remoting. The resulting exception was an indicator that the payload was executed successfully:
FIGURE 4 – Sending the malicious object to the UAVRServer service
Logging onto the server and inspecting the contents of C:\temp\out.txt showed that the command was executed successfully:
FIGURE 5 – Code executed through the .NET remoting service
Since the command was executed with NT AUTHORITY\system privileges, exploiting this issue would allow an attacker to fully compromise the Netwrix server.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
