Local Privilege Escalation in Gitlab-Runner(Windows)
HackerOne report #850734 by rem1nd
on 2020-04-15, assigned to @cmaxim:
Local Privilege Escalation in Gitlab-Runner
After downloading Gitlab-Runner onto a Windows system and following the installation instructions outlined https://docs.gitlab.com/runner/install/windows.html it is possible for a low privilege user to escalate to SYSTEM access.
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
- Create a Windows system with two accounts. One administrator account and one regular user account. I call these accounts lowpriv(user) and dev(admin)
- Using the administrator account Install Gitlab-Runner onto the system using the installation instructions https://docs.gitlab.com/runner/install/windows.html. Run the service with the first method mentioned, built in admin account.
- At this point Gitlab-Runner's service is installed and running under the context of SYSTEM.
- Due to the recommended installation path of C:\Gitlab-Runner all authenticated users are provided an inherited modify access permission on this folder and its contents. (icacls c:\Gitlab-Runner)
- The low privilege user account logs into the system. This non administrator account is able to rename the service binary C:\Gitlab-Runner\gitlab-runner.exe while the service is running. The low privilege user can now place a custom binary at the same path.
- The low privilege user account reboots the system. On system startup the Gitlab-Runner service starts automatically and executes the new binary in the context of SYSTEM. This effectively allows the low privilege user account to escalate privileges to SYSTEM on the system.
Impact
Complete compromise of system allowing an attacker to gain full control of the system.
Examples
Impact
If an attacker has a low privilege account on a windows system they can escalate to SYSTEM and acquire full control of the system.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!