The Rapid7 Insight Agent v3.1.2.38 and earlier is not properly double-quoting with its use of runas, which allows a local adversary to execute code with system privileges.
7.8 HIGH
- Windows 10 with Insight Agent installed and 'Honey Credentials' enabled under 'Deception Technology' within InsightIDR
- After a reboot, utilizing procmon boot-logging, we can see the call for 'Program.exe' via commandline utilizing Windows 'runas' only single-quoted
runas /user:patchadmin /netonly /env "C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.1.2.38\honeyhashx86.exe"
- The stack trace for this call can be seen here
- Along with process tree outlining it's running with SYSTEM privileges
This can be exploited by creating the file 'c:\Program.exe' which would then be picked up by 'ir_agent.exe' invoked call to 'runas'. This would be called after every reboot.
Improper quoting allows for external modules to be called instead of intended module due to spaces within the path. This call is done with SYSTEM level privileges and attacker module would obtain this privilege when called. One can not assume all paths have been secured outside of application controlled directory.
More information on the topic:
- MITRE ATT&CK ID:T1574.009 [https://attack.mitre.org/techniques/T1574/009/]
- CWE-428: Unquoted Search Path or Element [https://cwe.mitre.org/data/definitions/428.html]
- Microsoft API: CreateProcessWithTokenW [https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw]
Windows runas when used with spaces in the path needs to be double-quoted.
runas /user:patchadmin /netonly /env "\"C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.1.2.38\honeyhashx86.exe\""
20220114 - initial disclosure to Rapid7