Netwrix Directory Manager (GroupID) - Local privilege escalation due to Cross-Site Scripting (XSS)
23/07/2025 - Téléchargement
Product
Netwrix Directory Manager
Severity
High
Fixed Version(s)
11.1.25162.02
Affected Version(s)
≤ 11.1.25134.03
CVE Number
CVE-2025-47189
Authors
Description
Presentation
Netwrix Directory Manager (formerly Netwrix GroupID) is a solution designed to automate and delegate the management of users and groups within directories like Active Directory and Microsoft Entra ID. The software helps automate group memberships based on user attributes, simplifies group hierarchy management, and automates user provisioning and deprovisioning processes.
The Password Management component can be deployed to provide self-service password reset functionality for directory users. To do so, users can autonomously prove their identity through various methods, thus reducing their reliance on their company's helpdesk.
Issue(s)
Synacktiv has identified a high impact Cross-Site Scripting (XSS) vulnerability in the Netwrix Directory Manager's Self-Service Password Reset (SSPR) portal.
This flaw enables two primary attack vectors:
-
Pre-Authenticated Local Privilege Escalation: on workstations where the Netwrix Credential Provider is deployed, the XSS vulnerability can be triggered from the Windows lock screen to escalate privileges to a local administrator account.
-
Administrator Impersonation: an attacker can craft a malicious URL that, when clicked by a Directory Manager administrator, allows the attacker to hijack their session. This would grant the attacker full administrative access, including the ability to compromise any managed directory user by setting a new password for them.
Affected versions
Patch version 11.1.25134.03 is affected. Anterior versions are likely to be vulnerable as well.
Timeline
| Date | Description |
|---|---|
| 2025.04.23 | Advisory sent to Netwrix |
| 2025.04.29 | Editor confirms the finding and starts working on remediation |
| 2025.06.12 | Patch version 11.1.25162.02 published by the editor |
| 2025.07.23 | Public release |
Technical details
Description
When the Credential Provider service is installed on a workstation, a clickable password reset hyperlink is added to its Windows lock screen. This link opens the Self-Service Password Reset portal inside a custom Chromium web browser, hardened to prevent escaping from the context of the web page. The corresponding web page is: https://netwrix-server:4443/main/Home/PasswordReset.
Upon choosing one of the identity stores available, a form prompts the user for their username, and a captcha to complete. The browser is then redirected to the /GroupIDSecurityService/Account/Multifactor page, and if the provided username does not exist, it is displayed back to the user within an error message. However, no filtering is applied to this data before it is formatted into the page. Therefore, if HTML code is entered into the username field, it will be parsed and rendered by the hardened web browser, leading to a Cross-Site Scripting (XSS) issue in case a JavaScript tag was provided. For instance, entering <script>alert('xss')</script> as the username leads to a browser pop-up opening on the next page, with the text "xss".
Note that the Cross-Site Scripting issue can be directly triggered by accessing the following path on the Directory Manager server, provided that the appropriate parameters are provided: /GroupIDSecurityService/Account/Multifactor?ReturnUrl=https://netwrix-server:4443/main/IdentityManagement/Users/ResetPassword&cid=[...]&storeid=2&userid=%3Cscript%3Ealert('xss')%3C/script%3E&wauth=authmode:multifactor&wtrealm=https://netwrix-server:4443/main.
Impact
An attacker with physical access to a locked workstation with the Credential Provider installed could craft a payload to escape the hardened web browser's context and gain full administrator access on the machine.
Note that this requires that the workstation has network access to the Directory Manager server, i.e. that it is connected to the company's internal network directly or over a VPN service.
The following steps can be followed to elevate local privileges:
- On the SSPR portal, provide the username
<script>window.print()</script>. After clicking "Reset Password", the executed JavaScript payload opens the Windows printer selection page. - Choose the "Microsoft Print to PDF" virtual printer, and click "print". This opens a Windows file explorer pop-up, prompting to select a destination for the PDF file.
- Navigate to a filesystem path, for instance by selecting the
C:\disk. - Use the "shift + right click" shortcut on the window's empty space, and select the option to open a PowerShell terminal.
- Close all open windows, including the browser, until the PowerShell terminal is visible on top of the Windows lock screen.
Since the hardened browser was executed under the SYSTEM user, the newly opened PowerShell terminal has full privileges on the local system. From there, the attacker is in a position to access the workstation's local data, including the cached credentials of domain users, and to reuse them on the company's internal network.
As stated before, the Cross-Site Scripting issue could also be abused directly by crafting a malicious link. Indeed, custom JavaScript code can be encoded into the userid parameter on the /GroupIDSecurityService/Account/Multifactor page. Therefore, malicious code could be created to abuse an administrator's existing session, in order to send requests for sensitive actions such as setting a new password for any directory user managed by the application. By convincing an administrator to click on such a link in a phishing attack, this would effectively allow such an attacker to compromise any directory account managed by Directory Manager.