Velociraptor Windows Service Local Privilege Escalation via MSI ACL Misconfiguration (CVE-2024-10526)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability ID: CVE-2024-10526 2. Vulnerability Type: Local Privilege Escalation 3. Affected Software: Windows Velociraptor Service 4. Release Date: November 3, 2024 5. Issue Description: - The Velociraptor Windows MSI installer grants WRITE_DACL permission to the BUILTIN\Users group. - This allows non-administrator local users to grant themselves full control permissions over Velociraptor files. - By modifying Velociraptor files, local users can bypass binary code execution and run arbitrary code as the SYSTEM user, or fully replace the Velociraptor binary. 6. Impact: - CWE-552: File or Directory Accessible by External Entity - CWE-732: Incorrect Permission Assignment for Critical Resource 7. Product Status: - In versions prior to 0.73.3, the Velociraptor MSI installer granted WRITE_DACL permission to the BUILTIN\Users group. - Version 0.73.3 fixes this issue. 8. Solution: - For new installations, use the updated MSI. - If immediate client upgrade is not desired, schedule the execution of the following icacls.exe command sequence at the earliest opportunity. 9. Workaround: - In Velociraptor, initiate a search for all Windows assets, select the Windows.System.PowerShell plugin, and paste the following commands in the command parameters: - This search will update the ACLs of the Velociraptor directory, removing all permissions for BUILTIN\Users. 10. Acknowledgment: - Thanks to Jean-Baptiste Mesnard-Sense from SYNACKTIV for identifying and reporting this issue. This information provides a detailed description of the local privilege escalation vulnerability in the Velociraptor service, along with mitigation and workaround steps.

Goal Reached Thanks to every supporter — we hit 100%!

Velociraptor Windows Service Local Privilege Escalation via MSI ACL Misconfiguration (CVE-2024-10526)