Local Privilege Escalation in Rapid7’s Windows Insight IDR Agent
by Florian Bogner
With Insight IDR Rapid7 has created a very powerful, yet still easy to use Incident Detection and Response toolkit. During one of my latest assignments I found its Windows agent installed on my client’s systems.
While trying to disable it so that I can stay under the radar, I discovered a privilege escalation vulnerability in its Windows service. This vulnerability could be abused by any local user to gain full control over the affected system. It has been verified on a fully patched German Windows 10 x64 running Insight Agent v220.127.116.11. The issue has been fixed with version 2.6.5.
The underlying issue is that the ir_agent Windows Service, which is automatically started on system boot and runs with SYSTEM privileges, tries to load the DLL C:\DLLs\python3.dll
Although this path does not exist by default, it can be created by any local user. This is possible because the filesystem ACLs of the system drive allow anyone to create new subfolders.
With that knowledge, I created a new DLL that mimics the expected exports of the real python3.dll. However, instead of providing any of the expected functionality, it simply adds a new administrative user “attacker” to the system. You can download the full source here.
After compiling it into a DLL I saved it (logically with a standard User account) as C:\DLLs\python3.dll.
After a reboot the DLL was loaded by the privileged Windows service ir_agent and the user attacker was created.
Proof of Concept
To confirm this issue yourself install the Insight IDR Windows Agent v18.104.22.168 (The issue has been fixed with version 2.6.5) and download the precompiled version of the malicious exploit DLL.
After that, as a non-admin user, create the folder C:\DLLs and place the library python3.dll therein. Now simply reboot the system. After that the new admin user attacker will be added. This proofs that full SYSTEM level access has been gained.
All external dependencies should only be loaded from secure locations.
- 22.5.2019: The issue has been identified, documented and reported
- 22.5.2019: The vulnerability has been confirmed by Rapid7
- 29.5.2019: Rapid7 released a new version (2.6.5) of the Insight agent that fixes this vulnerability. CVE-2019-5629 has been assigned.
About the Author
My name is Florian and I’m an IT Security Expert. I run my own company called “Bee IT Security” (https://bee-itsecurity.at) were our goal is to make complex security related topics easier to understand, so that the right decisions can be taken. In my free time I love to write for my blog https://bogner.sh. Additionally, I still sometimes find the time to hunt for bugs on HackerOne and Bugcrowd. A few years ago I graduated at the UAC Technikum Vienna with a bachelor degree in Information and Communication Systems. A few years ago I graduated at the UAC Technikum Vienna with a bachelor degree in Information and Communication Systems.
The article has been originally published at: https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/