Published on 2024-11-03

x_open-source

The Velociraptor Windows MSI installer creates the installation directory with WRITE_DACL permission to the BUILTIN\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.

Problem:

CWE-552 Files or Directories Accessible to External Parties CWE-552
CWE-732 Incorrect Permission Assignment for Critical Resource CWE-732

Impact:

CAPEC-165 File Manipulation CAPEC-165
CAPEC-233 Privilege Escalation CAPEC-233

Product Status:

ProductAffected
Rapid7 Velociraptor ยป MSI Installer on Windows
source repo https://github.com/Velocidex/velociraptor/blob/master/docs/wix/velociraptor_amd64.xml
Default status is unaffected		before 0.73.3 (unaffected from 0.73.3)

Solution:

For new installs use the updated MSI. If you do not wish to upgrade the endpoint client at this time, please arrange to run the icacls.exe command sequence described below at the earliest time.

Workaround:

In the Velociraptor start a hunt over all your Windows Assets, select the Windows.System.PowerShell artifact and paste the following in the Command parameter:


    icacls.exe "c:\Program Files\Velociraptor" /inheritance:d /t /c
    icacls.exe "c:\Program Files\Velociraptor" /remove builtin\users /t /c



This hunt will update the ACLs on the Velociraptor directory to remove all BUILTIN\Users permissions.

To verify the correct permissions after a new MSI install, use the following command


    C:> icacls "c:\Program Files\Velociraptor"
    c:\Program Files\Velociraptor BUILTIN\Users:(OI)(CI)(DENY)(S)
                                  BUILTIN\Administrators:(OI)(CI)(F)
                                  NT AUTHORITY\SYSTEM:(OI)(CI)(F)

    Successfully processed 1 files; Failed processing 0 files

This should show a DENY rule for BUILTIN\Users

If applying the commands above, all permissions will be removed for the builtin\users group


    C:> icacls "c:\Program Files\Velociraptor
    c:\Program Files\Velociraptor BUILTIN\Administrators:(OI)(CI)(F)
                                  NT AUTHORITY\SYSTEM:(OI)(CI)(F)

    Successfully processed 1 files; Failed processing 0 files

Credits:

We thank Jean-Baptiste Mesnard-Sense from SYNACKTIV for identifying and reporting this issue

Timeline:

  • 2024-10-28 - Initial Notification by SYNACKTIV
  • 2024-11-03 - 0.73.3 was released to address this issue and an advisory published on Velociraptor's website.