Blog

Overview

Octopus Deploy is a popular DevOps automation platform that enables teams to more efficiently manage configuration, API keys, and permissions. Octopus Server allows users to self-host this platform, and is installed as a service on the host. This service runs as Local System and is a very impactful target for local privilege escalation exploits.

This is a writeup for CVE-2021-26556, a local privilege escalation in Octopus Server.

The following versions are affected by this vulnerability:

  • All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
  • All 2018.x.x, 2019.x.x, 2020.1.x, 2020.2.x, 2020.3.x versions
  • All 2020.4.x versions before 2020.4.229
  • All 2020.5.x versions before 2020.5.256

OctopusDeploy Local Privilege Escalation

In order to investigate field reports of potential permissions issues with the service, we signed up for the free license key here: https://octopus.com/start/server. From there, we were emailed instructions and a license key. Following the installation directions, we install the self-hosted server.

We used the default settings at every step, except for the installation directory which we changed to C:\tools to demonstrate the permission misconfiguration. This directory can either be created through the installer GUI, or through the command line – for example: mkdir C:\tools.

After completing the installation, we found the service was registered as expected.

Note the improper permissions, BUILTIN\Users Allow *, on the installation directory, which are inherited from the drive root:

To fully demonstrate the implications of this vulnerability, we created a new unprivileged user. Then, as this new user, we downloaded the provided CRYPTBASE.dll. Note how the user has permissions to add the poisoned dll to the installation directory. This DLL has a payload which will execute once the file is loaded. For more information on how this file was constructed, see our previous post.  

From here, we simply restarted the OctopusDeploy service as an administrator user (restarting the computer would have the same effect). This causes the payload to execute, which creates a file at C:\pwned, containing evidence of what access rights were gained:

The Fix

As described in the vendor advisory, the recommended solution is to download the latest version of Octopus Server from https://octopus.com/downloads.

If this is not possible, you can also fix the permissions on the existing installation directory, for example, with the script at the bottom of our previous blog post.

Vendor Notification

December 31st, 2020Reported to security@octopus.com
January 3rd, 2021Octopus Deploy team response
January 7th, 2021Vulnerability triaged by Octopus Deploy team
February 20thContinued correspondence with Octopus Deploy team
March 7thPatch and CVE-2021-26556 released, along with a patch for CVE-2021-26557 which is a similar issue in the Octopus Tentacle service.
April 13th, 2021DeepSurface Advisory published

Acknowledgements

We would like to thank the Octopus security team for their excellent response and thoroughness in investigating this issue.