[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Rapid7’s Windows InsightIDR Agent: Local Privilege Escalation
- To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: Rapid7’s Windows InsightIDR Agent: Local Privilege Escalation
- From: Florian Bogner <florian@xxxxxxxxxxxxxxxxx>
- Date: Mon, 3 Jun 2019 05:33:20 +0000
Local Privilege Escalation in Rapid7’s Windows Insight IDR Agent
Metadata
===================================================
Release Date: 03-Jun-2019
Author: Florian Bogner @ https://bee-itsecurity.at
Affected product: Rapid7’s Insight Agent v2.6.3.14 and earlier for Windows
Fixed in: version 2.6.5
Tested on: Windows 10 x64 fully patched
CVE: CVE-2019-5629
URL:
https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/
Vulnerability Status: Fixed with new release
Product Description
===================================================
Rapid7’s InsightIDR is your security center for incident detection and
response, authentication monitoring, and endpoint visibility. InsightIDR
identifies unauthorized access from external and internal threats and
highlights suspicious activity so you don’t have to weed through thousands of
data streams. [https://insightidr.help.rapid7.com/docs]
Vulnerability Description
===================================================
While trying to disable the InsightIDR Agent during one of my assignments (so
that I could stay under the radar), I discovered a privilege escalation
vulnerability in its Windows service. This vulnerability could be abused by any
local user to gain full control over the affected system. It has been verified
on a fully patched German Windows 10 x64 running Insight Agent v2.6.3.14. The
issue has been fixed with version 2.6.5.
The underlying vulnerability was that the ir_agent Windows Service, which is
automatically started on system boot and runs with SYSTEM privileges, tries to
load the DLL C:\DLLs\python3.dll. This causes a local privilege escalation from
authenticated user to SYSTEM.
A full vulnerability description is available here:
https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/
Suggested Solution
===================================================
End-users should update to the latest available version.
Disclosure Timeline
===================================================
22.5.2019: The issue has been identified, documented and reported
22.5.2019: The vulnerability has been confirmed by Rapid7
29.5.2019: Rapid7 released a new version (2.6.5) of the Insight agent that
fixes this vulnerability. CVE-2019-5629 has been assigned.
03.6.2019: Public disclosure
PoC
===================================================
A working PoC is available here:
https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/
___________
Florian Bogner
Information Security Expert, Speaker
Bee IT Security Consulting e.U.
Nibelungenstraße 37
3123 A-Schweinern
Tel: +43 660 123 9 454
Mail: florian@xxxxxxxxxxxxxxxxx
Web: https://www.bee-itsecurity.at