Skip to content

Advisory – Netskope Client for Windows – Local Privilege Esc...#1374

Merged
carlospolop merged 2 commits intomasterfrom
update_Advisory___Netskope_Client_for_Windows___Local_Pri_20250830_184240
Sep 3, 2025
Merged

Advisory – Netskope Client for Windows – Local Privilege Esc...#1374
carlospolop merged 2 commits intomasterfrom
update_Advisory___Netskope_Client_for_Windows___Local_Pri_20250830_184240

Conversation

@carlospolop
Copy link
Copy Markdown
Collaborator

@carlospolop carlospolop commented Aug 30, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

CVE-2025-0309: Local Privilege Escalation in Netskope Client for Windows < R129

Target: Netskope Client for Windows < R129. CVE-2025-0309 allows a local, low-privileged user to coerce the client to enroll into a rogue Netskope server and abuse the update channel to run a malicious MSI as SYSTEM via the privileged stAgentSvc. Impact: full local privilege escalation, root CA trust compromise, and arbitrary code execution ...

🔧 Technical Details

Force enrollment to an attacker server via IPC: Speak the localhost IPC protocol to stAgentSvc and invoke IDP_USER_PROVISIONING_WITH_TOKEN (ID 148) with a JWT using alg=None and AddonUrl=attacker host. Example:

{
  "148": {
    "idpTokenValue": "<JWT with AddonUrl=attacker>",
    "tenantName": "TestOrg"
  }
}
This redirects all subsequent client API calls to your rogue host for enrollment.


Exploit the update channel for SYSTEM: Implement the Netskope endpoints and return: (1) /v2/config/org/clientconfig with clientUpdate.updateIntervalInMin=1; (2) /config/ca/cert with your PEM CA (installed into Local Machine Trusted Root); (3) /v2/checkupdate pointing to a malicious MSI signed by a cert issued by your CA (CN “netSkope Inc” or “Netskope, Inc.”). Include a benign CERT_DIGEST property and set 🤖 Agent Actions

I analyzed the blog and the HackTricks repository and implemented a new Windows local privilege escalation technique page focused on abusing enterprise client auto-updaters and privileged IPC, using Netskope’s stAgentSvc as a detailed example. I also linked it from the main Windows LPE page and the Windows LPE checklist.

What I added and why:

  • Created a new page under Windows LPE that abstracts the technique from the blog (not CVE-focused, but technique-focused):

    • Path: src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md
    • Content covers:
      • Forcing enrollment to an attacker-controlled server over localhost IPC using a JWT with alg=None and AddonUrl.
      • Abusing the updater flow to install a malicious MSI as SYSTEM (rogue CA in Trusted Root, signer CN allow-list bypass, CERT_DIGEST property, disabling digest checks).
      • Forging “encrypted” IPC requests by deriving AES key/IV from HKLM registry values (nsdeviceidnew and ProductID).
      • Bypassing IPC caller allow-lists by injecting into an allow-listed Netskope binary or spawning suspended and patching NtContinue to LoadLibrary your DLL (works with tamper-protection constraints).
      • Blue team detection tips (Trusted Root additions, MSI from ProgramData agent path, agent logs).
      • Tooling references (NachoVPN plugin and UpSkope).
      • References: the blog URL, tools, NVD entry.
    • Includes banners, concise step-by-step commands/JSON, registry paths, and operational notes as per HackTricks style.

  • Linked the new page from related files so users can find it:

    • In the main Windows LPE page:
      • Added a new section and internal reference after the WSUS section:
        • File: src/windows-hardening/windows-local-privilege-escalation/README.md
        • Inserted section: “Third-Party Auto-Updaters and Agent IPC (local privesc)” with
          {{#ref}}
          abusing-auto-updaters-and-ipc.md
          {{#endref}}
    • In the Windows LPE checklist:
      • Added a new checklist item pointing to the technique:
        • File: src/windows-hardening/checklist-windows-privilege-escalation.md
        • Item: “Third-party agent auto-updaters / IPC abuse”

Files modified/created:

  • Created:
    • src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md
  • Modified:
    • src/windows-hardening/windows-local-privilege-escalation/README.md
    • src/windows-hardening/checklist-windows-privilege-escalation.md

Rationale for placement:

  • The technique is a Windows local privilege escalation via abusing a third-party agent’s auto-update process and IPC, which aligns best under:
    • Windows Hardening > Windows Local Privilege Escalation
  • I added a concise link from the main LPE methodology (near WSUS) because WSUS is also an update-path abuse. The checklist now highlights this vector explicitly.

If you need more integrations (e.g., cross-references from MSI pages), I can add them, but the key linking is in place for discoverability.

References included in the new page:

  • Advisory – Netskope Client for Windows – Local Privilege Escalation via Rogue Server (CVE-2025-0309)
  • NachoVPN Netskope plugin
  • UpSkope IPC client/exploit
  • NVD entry for CVE-2025-0309

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

Build master and others added 2 commits August 29, 2025 10:09
@carlospolop
Copy link
Copy Markdown
Collaborator Author

carlospolop commented Aug 30, 2025

🔗 Additional Context

Original Blog Post: https://blog.amberwolf.com/blog/2025/august/advisory---netskope-client-for-windows---local-privilege-escalation-via-rogue-server/

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking > Privilege Escalation > Windows > Abusing Auto-Updaters and IPC (e.g., Netskope stAgentSvc enrollment/IPC abuse)".

Repository Maintenance:

  • MD Files Formatting: 879 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@github-actions github-actions Bot force-pushed the master branch 2 times, most recently from ef47d69 to 7b4b7a7 Compare September 3, 2025 11:00
@carlospolop
Copy link
Copy Markdown
Collaborator Author

carlospolop commented Sep 3, 2025

merge

@github-actions github-actions Bot force-pushed the master branch 2 times, most recently from c7c075d to ab8f715 Compare September 3, 2025 12:11
@carlospolop carlospolop merged commit a11dd54 into master Sep 3, 2025
@carlospolop carlospolop deleted the update_Advisory___Netskope_Client_for_Windows___Local_Pri_20250830_184240 branch September 3, 2025 14:02
github-actions Bot pushed a commit that referenced this pull request Sep 3, 2025
@carlospolop
Merge pull request #1374 from HackTricks-wiki/update_Advisory___Netsk…
525f6d7 
…ope_Client_for_Windows___Local_Pri_20250830_184240

Advisory – Netskope Client for Windows – Local Privilege Esc...
carlospolop added a commit that referenced this pull request Sep 29, 2025
@carlospolop
Merge pull request #1374 from HackTricks-wiki/update_Advisory___Netsk…
58d3d25 
…ope_Client_for_Windows___Local_Pri_20250830_184240

Advisory – Netskope Client for Windows – Local Privilege Esc...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlospolop