Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Rapid7’s Windows InsightIDR Agent: Local Privilege Escalation

Related Vulnerabilities: CVE-2019-5629  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="12"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#13">By Date</a>
<a href="3"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="32"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#13">By Thread</a>
<a href="3"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Rapid7’s Windows InsightIDR Agent: Local Privilege Escalation</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Florian Bogner &lt;florian () bee-itsecurity at&gt;


<em>Date</em>: Mon, 3 Jun 2019 05:32:39 +0000


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Local Privilege Escalation in Rapid7’s Windows Insight IDR Agent

Metadata
===================================================
Release Date: 03-Jun-2019
Author: Florian Bogner @ <a rel="nofollow" href="https://bee-itsecurity.at">https://bee-itsecurity.at</a>
Affected product:  Rapid7’s Insight Agent v2.6.3.14 and earlier for Windows
Fixed in: version 2.6.5
Tested on: Windows 10 x64 fully patched
CVE:  CVE-2019-5629
URL: <a rel="nofollow" href="https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/">https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/</a>
Vulnerability Status: Fixed with new release

Product Description
===================================================
Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and 
endpoint visibility. InsightIDR identifies unauthorized access from external and internal threats and highlights 
suspicious activity so you don’t have to weed through thousands of data streams. 
[<a rel="nofollow" href="https://insightidr.help.rapid7.com/docs">https://insightidr.help.rapid7.com/docs</a>]

Vulnerability Description
===================================================
While trying to disable the InsightIDR Agent during one of my assignments (so that I could stay under the radar), I 
discovered a privilege escalation vulnerability in its Windows service. This vulnerability could be abused by any local 
user to gain full control over the affected system. It has been verified on a fully patched German Windows 10 x64 
running Insight Agent v2.6.3.14. The issue has been fixed with version 2.6.5.

The underlying vulnerability was that the ir_agent Windows Service, which is automatically started on system boot and 
runs with SYSTEM privileges, tries to load the DLL C:\DLLs\python3.dll. This causes a local privilege escalation from 
authenticated user to SYSTEM.

A full vulnerability description is available here: 
<a rel="nofollow" href="https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/">https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/</a>

Suggested Solution
===================================================
End-users should update to the latest available version.

Disclosure Timeline
===================================================
22.5.2019: The issue has been identified, documented and reported
22.5.2019: The vulnerability has been confirmed by Rapid7
29.5.2019: Rapid7 released a new version (2.6.5) of the Insight agent that fixes this vulnerability. CVE-2019-5629 has 
been assigned.
03.6.2019: Public disclosure

PoC
===================================================
A working PoC is available here: 
<a rel="nofollow" href="https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/">https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/</a>

___________

Florian Bogner
Information Security Expert, Speaker

Bee IT Security Consulting e.U.
Nibelungenstraße 37
3123 A-Schweinern

Tel: +43 660 123 9 454
Mail: florian () bee-itsecurity at
Web: <a rel="nofollow" href="https://www.bee-itsecurity.at">https://www.bee-itsecurity.at</a> 


_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="12"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#13">By Date</a>
<a href="3"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="32"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#13">By Thread</a>
<a href="3"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Rapid7’s Windows InsightIDR Agent: Local Privilege Escalation</strong> <em>Florian Bogner (Jun 11)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started