Exploitation for Priv-Esc × Zscaler Client Connector

A publicly-reported instance of Exploitation for Priv-Esc bypassing Zscaler Client Connector, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Zscaler Client Connector

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

poc

Disclosed

2024-05-27

Config / version noted

Not stated

Provenance

spaceraccoon.substack.com
disclosed 2024-05-27 · original source · via exa
spaceraccoon.dev
disclosed 2024-05-27 · original source · via exa
violenttestpen.github.io
disclosed 2024-05-27 · original source · via raw

Reported as

bypassing RPC caller validation...attacker can...brute-force a PID collision...bypassing validation and allowing arbitrary RPC commands as SYSTEM

Mechanism

ZSATrayManager caches allowed RPC caller PIDs using an FNV-1a hash and skips Authenticode and caller process checks for cached PIDs. The cache is not pruned, so an attacker can repeatedly kill and restart ZSATray to populate the cache with many PIDs, then brute-force a PID collision by spawning an attacker-controlled process that reuses a cached PID, bypassing validation and allowing arbitrary RPC commands as SYSTEM.

Detection & mitigation

Monitor for processes spawning with SYSTEM integrity that are not expected, especially from non-privileged user sessions. Detect rapid process creation and termination patterns (PID reuse) targeting ZSATrayManager, and enforce application control to restrict execution of untrusted binaries.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.