Velociraptor did not properly sanitize the client id parameter to the CreateCollection API allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.

Normally to schedule an artifact on the server requires the COLLECT_SERVER permissions (normally only granted to "administrator" role), but due to this issue it is sufficient to have the COLLECT_CLIENT privilege (normally granted to the "investigator" role)

To exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (not administrator but at least "investigator"). Be able to authenticate to the GUI (e.g. via OAuth2) and issue an API call to the backend. Typically most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).

This vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/services/launcher/launcher.go and program routines ScheduleArtifactCollection().

This issue affects Velociraptor: before 0.6.7-5.

Required configuration for exposure:

Velociraptor deployment with multiple users at lower roles than administrators (e.g. "investigators")

Problem:

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-22

Impact:

CAPEC-233 Privilege Escalation CAPEC-233

Product Status:

Solution:

Upgrade to 0.6.7-5

Timeline:

• 2023-01-13 - Notification of the issue
• 2023-01-17 - Release 0.6.7-5 made available on Github