Listen to this Post
How the CVE Works
The vulnerability exists in the `Admin.Client.UpdateClientConfig` Velociraptor artifact, which is used to push new configurations to endpoints. This artifact did not properly check for the `EXECVE` permission, a high-level privilege required for dangerous operations. Instead, it only required the `COLLECT_CLIENT` permission, which is commonly granted to the “Investigator” role. An authenticated attacker with this lower privilege could collect and execute this specific artifact against a target endpoint. By supplying a malicious configuration, the attacker could achieve arbitrary command execution on the endpoint with system-level privileges, effectively taking it over. The attack requires initial access to the Velociraptor GUI and the ability to target a specific client.
Platform: Velociraptor
Version: < 0.73.5
Vulnerability: Privilege Escalation
Severity: Medium
date: 2024-07-16
Prediction: Patch expected 2024-07-30
What Undercode Say:
`velociraptor –config server.config.yaml artifacts collect Admin.Client.UpdateClientConfig –client
`velociraptor query “SELECT FROM artifacts() WHERE Name = ‘Admin.Client.UpdateClientConfig'”`
How Exploit:
An attacker with ‘Investigator’ role logs into the GUI, navigates to the target client, and manually collects the `Admin.Client.UpdateClientConfig` artifact. They provide a malicious client configuration file as an argument, which contains a script or command to be executed. When the artifact runs, it applies the new configuration, triggering the execution of the attacker’s commands with elevated SYSTEM or root privileges on the endpoint.
Protection from this CVE
Upgrade to version 0.73.5. Implement principle of least privilege. Review user roles.
Impact:
Arbitrary command execution. Endpoint compromise. Privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
