CVE-2023-0290
Rapid7 Velociraptor directory traversal in client ID parameter
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.
Normally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to "administrator" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the "investigator" role.
To exploit this vulnerability, the attacker must already have a Velociraptor user account at least "investigator" level, and be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.
This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.
Rapid7 Velociraptor no sanitizaba adecuadamente el parámetro de ID del cliente en la API CreateCollection, lo que permitía un directory traversal donde se podía escribir la tarea de recopilación. Era posible proporcionar una identificación de cliente de "../clients/server" para programar la recopilación para el servidor (como un artefacto del servidor), pero solo se requerían privilegios para programar recopilaciones en el cliente. Normalmente, para programar un artefacto en el servidor, se requiere el permiso COLLECT_SERVER. Normalmente, este permiso sólo se concede al rol de "administrador". Debido a este problema, basta con tener el privilegio COLLECT_CLIENT, que normalmente se otorga al rol de "investigador". Para aprovechar esta vulnerabilidad, el atacante ya debe tener una cuenta de usuario de Velociraptor al menos a nivel de "investigador" y poder autenticarse en la GUI y emitir una llamada API al backend. Normalmente, la mayoría de los usuarios implementan Velociraptor con acceso limitado a un grupo confiable y la mayoría de los usuarios ya serán administradores dentro de la GUI. Este problema afecta a las versiones de Velociraptor anteriores a la 0.6.7-5. La versión 0.6.7-5, lanzada el 16 de enero de 2023, soluciona el problema.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-01-13 CVE Reserved
- 2023-01-18 CVE Published
- 2024-01-25 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
- CAPEC-233: Privilege Escalation
References (1)
URL | Tag | Source |
---|---|---|
https://github.com/Velocidex/velociraptor | Product |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Rapid7 Search vendor "Rapid7" | Velociraptor Search vendor "Rapid7" for product "Velociraptor" | < 0.6.7-5 Search vendor "Rapid7" for product "Velociraptor" and version " < 0.6.7-5" | - |
Affected
|