The Velociraptor Windows MSI installer creates the installation directory with WRITE_DACL permission to the BUILTIN\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.
CWE-552 Files or Directories Accessible to External Parties CWE-552
CWE-732 Incorrect Permission Assignment for Critical Resource CWE-732
Product | Affected |
---|---|
Rapid7 Velociraptor ยป MSI Installer on Windows source repo https://github.com/Velocidex/velociraptor/blob/master/docs/wix/velociraptor_amd64.xml Default status is unaffected | before 0.73.3 (unaffected from 0.73.3) |
For new installs use the updated MSI. If you do not wish to upgrade the endpoint client at this time, please arrange to run the icacls.exe command sequence described below at the earliest time.
In the Velociraptor start a hunt over all your Windows Assets, select the Windows.System.PowerShell artifact and paste the following in the Command parameter:
icacls.exe "c:\Program Files\Velociraptor" /inheritance:d /t /c
icacls.exe "c:\Program Files\Velociraptor" /remove builtin\users /t /c
To verify the correct permissions after a new MSI install, use the following command
C:> icacls "c:\Program Files\Velociraptor"
c:\Program Files\Velociraptor BUILTIN\Users:(OI)(CI)(DENY)(S)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
This should show a DENY rule for BUILTIN\Users
If applying the commands above, all permissions will be removed for the builtin\users group
C:> icacls "c:\Program Files\Velociraptor
c:\Program Files\Velociraptor BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
We thank Jean-Baptiste Mesnard-Sense from SYNACKTIV for identifying and reporting this issue