Cybersecurity researchers have disclosed new security flaws impacting Citrix Virtual Apps and Desktop that could be exploited to achieve unauthenticated remote code execution (RCE)
The issue, per findings from watchTowr, is rooted in the Session Recording component that allows system administrators to capture user activity, and record keyboard and mouse input, along with a video stream of the desktop for audit, compliance, and troubleshooting purposes.
Particularly, the vulnerability exploits the “combination of a carelessly-exposed MSMQ instance with misconfigured permissions that leverages BinaryFormatter can be reached from any host via HTTP to perform unauthenticated RCE,” security researcher Sina Kheirkhah said.
The vulnerability details are listed below –
However, Citrix noted that successful exploitation requires an attacker to be an authenticated user in the same Windows Active Directory domain as the session recording server domain and on the same intranet as the session recording server. The defects have been addressed in the following versions –
It’s worth noting that Microsoft has urged developers to stop using BinaryFormatter for deserialization, owing to the fact that the method is not safe when used with untrusted input. An implementation of BinaryFormatter has been removed from .NET 9 as of August 2024.
“BinaryFormatter was implemented before deserialization vulnerabilities were a well-understood threat category,” the tech giant notes in its documentation. “As a result, the code does not follow modern best practices. BinaryFormatter.Deserialize may be vulnerable to other attack categories, such as information disclosure or remote code execution.”
At the heart of the problem is the Session Recording Storage Manager, a Windows service that manages the recorded session files received from each computer that has the feature enabled.
While the Storage Manager receives the session recordings as message bytes via the Microsoft Message Queuing (MSMQ) service, the analysis found that a serialization process is employed to transfer the data and that the queue instance has excessive privileges.
To make matters worse, the data received from the queue is deserialized using BinaryFormatter, thereby allowing an attacker to abuse the insecure permissions set during the initialization process to pass specially crafted MSMQ messages sent via HTTP over the internet.
“We know there is a MSMQ instance with misconfigured permissions, and we know that it uses the infamous BinaryFormatter class to perform deserialization,” Kheirkhah said, detailing the steps to create an exploit. “The ‘cherry on top’ is that it can be reached not only locally, through the MSMQ TCP port, but also from any other host, via HTTP.”
“This combo allows for a good old unauthenticated RCE,” the researcher added.
