-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-032 
Product:                   Citrix Virtual Apps and Desktops
Manufacturer:              Cloud Software Group
Affected Version(s):       2402, 2411
Tested Version(s):         2402, 2411
Vulnerability Type:        Improper Privilege Management (CWE-269) 
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2025-04-03
Solution Date:             2025-07-08
Public Disclosure:         2025-07-09
CVE Reference:             CVE-2025-6759
Authors of Advisory:       Timm Lippert, SySS GmbH
                           Christopher Beckmann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Citrix Virtual Apps and Desktops provides a virtualization solution for 
application and desktop provision to remote devices of all types over
any network.

The manufacturer describes the product as follows (see [1]):

"Citrix Virtual Apps and Desktops are virtualization solutions that give 
IT control of virtual machines, applications, licensing, and security while
providing anywhere access for any device.

Citrix Virtual Apps and Desktops allow:

- - End users to run applications and desktops independently of the 
  device's operating system and interface.
- - Administrators to manage the network and control access from selected 
  devices or from all devices.
- - Administrators to manage an entire network from a single data center.

Citrix Virtual Apps and Desktops share a unified architecture called 
FlexCast Management Architecture (FMA). FMA's key features are the
ability to run multiple versions of Citrix Virtual Apps or Citrix 
Virtual Desktops from a single site and integrated provisioning."

Due to improper process handler usage in the Citrix Graphics Engine
(CtxGfx), the process can be used to elevate a user's privilege to
"NT AUTHORITY\SYSTEM".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The low-privileged Citrix Graphics Engine Process (CtxGfx) seems to have
been created with the flag "bInheritHandle" set to "true" on creation, which
leaks a handle to a high-privileged process into the user process. Thus,
this handle can be obtained by a low-privileged user to create a new
process with the rights of the high-privileged process. In this case, a
process as "NT AUTHORITY\SYSTEM" could be created in a Microsoft Windows 
11 Pro v. 10.0.26100 instance.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

To exploit this process handle, the process first needs to be opened via 
the Kernel32 function "OpenProcess"[6], which returns a process handle.
This handle can be duplicated and a process can be created using the
duplicated handle function with the function "CreateProcess"[8] to 
create a new privileged process.

This can be achieved by initializing the extended startup information 
"STARTUPINFOEX"[7] struct with the duplicated handle and passing the
result into the "CreateProcess" function. 

The tool "Leaked Handles Finder"[5] automates this process and can be
used for this. The generated LeakedHandlesFinder.exe can be run as
follows: 
"LeakedHandlesFinder.exe -a"

This will automatically iterate over all accessible processes with the
rights of the current user and try to copy the process handle, check the
handle privileges, and try to create a new cmd.exe process with the 
copied handle as the higher privileged user.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH recommends setting the "bInheritHandle" flag to "false" when
creating a low-privileged process via, for example, the
"CreateProcessAsUserW" function of the Win32 API from a high-privileged
process. 

The manufacturer recommends that customers upgrade their Windows Virtual
Delivery Agent for single-session OS to versions that contain the fix as
soon as possible.[9]

More information can be found at the following URL:
https://www.securityartwork.es/2022/05/25/exploiting-leaked-handles-for-lpe-2/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-03-13: Vulnerability discovered
2025-04-03: Vulnerability reported to manufacturer
2025-07-08: Vulnerability bulletin released by manufacturer
2025-07-10: Public disclosure of vulnerability by SySS

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Citrix Virtual Apps and Desktops
    https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/technical-overview
[2] SySS Security Advisory SYSS-2025-032
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-032.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[5] Leaked Handles Finder GitHub repository
    https://github.com/lab52io/LeakedHandlesFinder
[6] Kernel32 OpenProcess
    https://learn.microsoft.com/de-de/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
[7] Struct STARTUPINFOEX
    https://pinvoke.net/default.aspx/Structures/STARTUPINFOEX.html
[8] kernel32 CreateProcess
    https://www.pinvoke.net/default.aspx/kernel32/CreateProcess.html
[9] Security bulletin by Cloud Software Group
    https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694820

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Timm Lippert and Christopher
Beckmann of SySS GmbH.

E-Mail: timm.lippert@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Timm_Lippert.asc
Key ID: 0x7CB074CCDDAC771C
Key Fingerprint: EE5B D50E 72C6 1EF7 6C98 B7DD 7CB0 74CC DDAC 771C 

E-Mail: christopher.beckmann@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christopher_Beckmann.asc
Key ID: 0x760E4B15E0ABBA57
Key Fingerprint: CAAE AA0E 9F07 800F 3978 D85C 760E 4B15 E0AB BA57

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEyq6qDp8HgA85eNhcdg5LFeCrulcFAmhvueQACgkQdg5LFeCr
ulcB3g//Vvat4kzp6p/DaXrc8zXAjs504tLRa7IdSL0wEpsolp1PtdrhQzlwLbAY
zfOhF9yndtqioY31QDx3+F4QXoCtGlI+PcDki7pfR0+fESeAL/v5MBve88VzEl+K
xauwyqI5afB1vkcmmNbVAnaR8WxB9XMHLk48eb8rYhhCKoNw9c943crZpTTkdJOx
f96h4zt48MSz/qnbq1HRwTGIc6hkSTT0ACf3n3LMQhrfTIq45AJnwKIDGgxDrWHQ
w/rhV7bAunym9IMhblsnKHy5UOrFGpzBstxGWeNy8b15+dvdAi5ORYhE/3hjHvZO
bRCfTUxn7WkZ32wkkra+2Lls3RHdi1QVELzsdhKN2d7sgIvs1Ztq5RB3KkQYGeHk
Eb3xKubw855u07rEcnxFNFIGp2wQHHSCReSeWcLFp6JQ5y42m5X1h3iOBN6BtgtG
1oQpM1Dfk91WX1pMcF+ROn6oGkBqx7uVvTY19esx9F74fGsG9iPFcERKIdUTssN2
0GYHX1zwus+J+muuQTuZJdPGonVswbl6JFj2wsdtastve/MVMIKY6FAdmf832FTq
Qw0imz4mKXnG3xWJ1GgqJqCsvemd4MznFaaM4rfxN4c89ox9SxxClP11l1ww3ZNH
e+6I0N45fSgmYXLaRhHAX/EH4dOwMHwV0QIQUw/sFWz4EZ92iZQ=
=9Vl2
-----END PGP SIGNATURE-----