Zscaler Client Connector Zero-interaction Privilege Escalation Vulnerability

A new privilege escalation vulnerability has been discovered in Zscaler Client Connector, combining three different vulnerabilities.

The three vulnerabilities were associated with Reverting password check (CVE-2023-41972), arbitrary code execution (CVE-2023-41973), and Arbitrary File Deletion (CVE-2023-41969).

Though these vulnerabilities are low-level and bypassed, combining them escalates a threat actor from a standard user privilege to a high-privileged NT AUTHORITY\SYSTEM service account on Windows.

However, these vulnerabilities have been fixed by Zscaler Client Connector on their latest versions.

Technical Analysis

According to the researchers, Zscaler Client Connector is a local Desktop client that can connect Zscaler’s various network tunnels.

This Zscaler Client Connector consists of two main processes: ZSATray and ZSATrayManager.

ZSATrayManager runs as a service with NT AUTHORITY\SYSTEM and handles network management, configuration enforcement, and updates.

ZSATray is a front-end application built on the .NET Framework. It and ZSATrayManager use Microsoft Remote Procedure Call (RPC) with ZSATrayHelper.dll, which contains the sendZSATrayManagerCommand method.

However, Zscaler implements RPC call validations to ensure that these RPC calls are made from trusted processes.

This check is performed in two ways: Process ID validation and Caller Process Validation.

In fact, Zscaler is implemented so that if any PID hash exists in the ZSATrayManager cache memory, these two validations can be bypassed.

As an alternative to this, Process Injection can also be used by injecting the user-owned ZSATray.exe process to run arbitrary code.

This process will pass all the security checks but it is complex to execute because ZSATray is a .NET assembly with managed code.

CVE-2023-41972: Revert Password Check Incorrect Type Validation

As the RPC call check is bypassed from the above steps, the next step is finding the supported RPC functions that can be leveraged to achieve privilege escalation.

Zscaler has implemented additional authentication for some functions, like the PERFORM_APP_REVERT.

This function reverts the ZScaler Client Connector to a previous version using an older installer.

Moreover, the function also accepts previousInstallerName, pwdType, and password as arguments. However, the function will only execute if the correct password is provided.

Further analysis revealed that ZSATrayManager does not check if pwdType matches PASSWORD_TYPE.ZCC_REVERT_PWD means that the password check function will trust any pwdType passed via the RPC.

Hence, this function can be bypassed by setting pwdType in the RPC to SHOW_ADVANCED_SETTINGS.

CVE-2023-41973: Lack Of Input Sanitization On Zscaler Client Connector

On diving deep into the PERFORM_APP_REVERT function, it was discovered that the function accepts previousInstallerName as an argument, which is appended to C:\Program Files\ZScaler\RevertZcc that is generally set to {VERSION NUMBER}.exe.

The execution of the file is performed by the ZSATrayManager at this path as NT AUTHORITY\SYSTEM. To exploit this, a threat actor can supply a path traversal string such as ..\..\..\{ATTACKER-CONTROLLED PATH} to execute the payload.

In addition, DLL Hijacking is also performed with ZSAService, which results in arbitrary code execution. This eventually results in gaining NT AUTHORITYSYSTEM privilege.

To fix these vulnerabilities, users of Zscaler Client Connector are recommended to upgrade their versions to 4.2.0.209 / 4.3.0.121 or higher.