Incorrect Default Permissions

Summary

The Kolide Agent, also known as "launcher," is a lightweight agent designed to integrate with Kolide's service. An implementation bug in the Kolide Agent allows for local privilege escalation to the SYSTEM user on Windows 10 and 11 systems. This vulnerability was introduced in version 1.5.3 when the launcher began storing upgraded binaries in the ProgramData directory. The transition to this new directory caused the launcher root directory to inherit default permissions that are less restrictive than those of the previous storage location. These weaker permissions, combined with an omitted "SystemDrive" environmental variable when the launcher starts "osqueryd," enable a malicious actor with local access to exploit the vulnerability by placing an arbitrary DLL into the "osqueryd" process's search path. In certain scenarios, this DLL is executed when "osqueryd" performs a WMI query, allowing the attacker to escalate their privileges to "SYSTEM". The vulnerability affects Kolide Agent versions v1.5.3 prior to v1.12.1.