Rapid7’s Windows InsightIDR Agent: Local Privilege Escalation

From: Florian Bogner <florian@bee-itsecurity.at>
To: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Subject: Rapid7’s Windows InsightIDR Agent: Local Privilege Escalation

Local Privilege Escalation in Rapid7\u2019s Windows Insight IDR Agent

Release Date: 03-Jun-2019
Author: Florian Bogner @ https://bee-itsecurity.at
Affected product:  Rapid7\u2019s Insight Agent v2.6.3.14 and earlier for Windows
Fixed in: version 2.6.5
Tested on: Windows 10 x64 fully patched
CVE:  CVE-2019-5629
URL: https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/
Vulnerability Status: Fixed with new release

Product Description
Rapid7\u2019s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activity so you don\u2019t have to weed through thousands of data streams. [https://insightidr.help.rapid7.com/docs]

Vulnerability Description
While trying to disable the InsightIDR Agent during one of my assignments (so that I could stay under the radar), I discovered a privilege escalation vulnerability in its Windows service. This vulnerability could be abused by any local user to gain full control over the affected system. It has been verified on a fully patched German Windows 10 x64 running Insight Agent v2.6.3.14. The issue has been fixed with version 2.6.5.

The underlying vulnerability was that the ir_agent Windows Service, which is automatically started on system boot and runs with SYSTEM privileges, tries to load the DLL C:\DLLs\python3.dll. This causes a local privilege escalation from authenticated user to SYSTEM.

A full vulnerability description is available here: https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/

Suggested Solution
End-users should update to the latest available version.

Disclosure Timeline
22.5.2019: The issue has been identified, documented and reported
22.5.2019: The vulnerability has been confirmed by Rapid7
29.5.2019: Rapid7 released a new version (2.6.5) of the Insight agent that fixes this vulnerability. CVE-2019-5629 has been assigned.
03.6.2019: Public disclosure

A working PoC is available here: https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/


Florian Bogner
Information Security Expert, Speaker

Bee IT Security Consulting e.U.
Nibelungenstrae 37
3123 A-Schweinern

Tel: +43 660 123 9 454
Mail: florian@bee-itsecurity.at
Web: https://www.bee-itsecurity.at 

Copyright © 1995-2019 LinuxRocket.net. All rights reserved.