Rapid7’s Insight Agent v2.6.3.14 Local Privilege Escalation Vulnerability

Summary

Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL search path. Specifically, when Insight Agent 2.6.3 and prior starts, the Python interpreter attempts to load python3.dll at “C:\DLLs\python3.dll,” which normally is writable by locally authenticated users. Because of this, a malicious local user could use Insight Agent’s startup conditions to elevate to SYSTEM privileges.

Credit:

The information has been provided by Florian Bogner

The original article can be found at:

http://seclists.org/fulldisclosure/2019/Jun/13


Details

While trying to disable the InsightIDR Agent during one of my assignments (so that I could stay under the radar), I discovered a privilege escalation vulnerability in its Windows service.

This vulnerability could be abused by any local user to gain full control over the affected system. It has been verified on a fully patched German Windows 10 x64 running Insight Agent v2.6.3.14. The issue has been fixed with version 2.6.5. The underlying vulnerability was that the ir_agent Windows Service, which is automatically started on system boot and runs with SYSTEM privileges, tries to load the DLL C:\DLLs\python3.dll.

This causes a local privilege escalation from authenticated user to SYSTEM.

A full vulnerability description is available here: https://bogner.sh/2019/06/local-privilege-escalation-in-rapid7s-windows-insight-idr-agent/

Vulnerable Systems:

Rapid7’s Insight Agent v2.6.3.14 and earlier for Windows

CVE Information:

CVE-2019-5629

Disclosure Timeline:
Published Date:07/16/2019