- Kolide
Kolide Windows Agent >= 1.5.3, < 1.12.3
Kolide is vulnerable to a local privilege escalation vulnerability. This allows attackers with access to a local Windows machine with user privileges to escalate to SYSTEM.
Customers should upgrade to the latest version of the Kolide agent launcher, version 1.12.3 or higher.
This issue was found by Bryan Alexander of Atredis Partners
- https://nvd.nist.gov/vuln/detail/CVE-2024-54131
- https://github.com/kolide/launcher/security/advisories/GHSA-66q9-2rvx-qfj5
- 2024-10-07: Atredis Partners reaches out to Kolide via their security email for an invite to their private HackerOne bounty program
- 2024-10-30: Atredis Partners receives an invite and joins the program
- 2024-11-15: Atredis Partners sent an initial notification to Kolide, including a draft advisory, via their private HackerOne
- 2024-11-15: Kolide acknowledges receipt of the report
- 2024-11-25: Kolide confirms reproduction of the vulnerability, root cause, and remediation
- 2024-12-04: Kolide provides CVE and requests a retest of the vulnerability
- 2024-12-13: Atredis validates the developed fixes and confirms with Kolide
- 2025-02-25: Atredis Partners publishes advisory ATREDIS-2025-0001
A local privilege escalation vulnerability was discovered and tested on Windows 11 in Kolide version 1.9. Kolide uses a local service launcher (launcher.exe) to monitor and collect system information. This process launches a child process, osqueryd, to actually collect and process system information. Both processes run as SYSTEM.
When running, we noticed this child process attempting to load a DLL repeatedly:
10:18:46.9930278 PM osqueryd.exe 28272 CreateFile C:\ProgramData\Kolide\Launcher-kolide-k2\data\updates\osqueryd\5.13.1\%SystemDrive%\ProgramData\Microsoft\Windows Defender\Platform\4.18.24070.5-0\MpOav.dll NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a NT AUTHORITY\SYSTEM
Notice the unresolved %SystemDrive% path in the query. osqueryd is attempting to load MpOav.dll, used in Microsoft Window's Defender and AMSI system, from a %ProgramData% path. This path is writable by all system users:
> Get-Acl c:\programdata\kolide\launcher-kolide-k2\data\updates | foreach-object {$_.Access}
[...]
FileSystemRights : Write
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited : True
InheritanceFlags : ContainerInherit
PropagationFlags : None
If we create the search path and drop a DLL named MpOav.dll there, we can successfully load an arbitrary DLL into the osqueryd process:
10:19:03.8362372 PM osqueryd.exe 28272 CreateFile C:\ProgramData\Kolide\Launcher-kolide-k2\data\updates\osqueryd\5.13.1\%SystemDrive%\ProgramData\Microsoft\Windows Defender\Platform\4.18.24070.5-0\MpOav.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened NT AUTHORITY\SYSTEM
This is exploitable for two reasons:
- The updates folder is writable by non-administrative users
- The
osquerydprocess is launched with an empty environment which causesosquerydand its subsequent WMI calls to traverse paths, including the current directory
Kolide remediated this by both modifying the update path permissions and initializing osqueryd's environment.