Document permissions for each plugin (#573)

Also added CVE-2023-2226

Author: scudette

content/announcements/2023-cves/CVE-2023-2226.html

@@ -0,0 +1,83 @@
+<p><span>Published by <b>rapid7</b></span> Published 2023-04-21
+  (updated 2023-04-21)</p>
+<details class="popup">
+  <summary class="lbl rnd sec CVSS LOW">CVSS · LOW ·
+    3.3<sub>⁄10</sub> <span style="font-size:0px;opacity:0">·
+      CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L</span></summary>
+  <div class="pop wht rnd shd pad bor"><span>Scoring scenario:</span>
+    GENERAL
+    <div>attackVector: <b>LOCAL</b></div>
+    <div>attackComplexity: <b>LOW</b></div>
+    <div>privilegesRequired: <b>NONE</b></div>
+    <div>userInteraction: <b>REQUIRED</b></div>
+    <div>scope: <b>UNCHANGED</b></div>
+    <div>confidentialityImpact: <b>NONE</b></div>
+    <div>integrityImpact: <b>NONE</b></div>
+    <div>availabilityImpact: <b>LOW</b></div>
+    <div><a class="vgi-dial" href=
+            "https://cvss.js.org/#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
+            target="_blank">Open CVSS Calc</a></div>
+  </div>
+</details>
+<div id="description">
+  <p>Due to insufficient validation in the PE and OLE parsers in
+    Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker
+    to crash Velociraptor during parsing of maliciously malformed
+    files.&nbsp;<br>
+    <br>
+    For this attack to succeed, the attacker needs to be able to
+    introduce malicious files to the system at the same time that
+    Velociraptor attempts to collect any artifacts that attempt to
+    parse PE files, Authenticode signatures, or OLE files. After
+    crashing, the Velociraptor service will restart and it will still
+    be possible to collect other artifacts.<br>
+    <br></p>
+</div>
+<div id="problem">
+  <h4 class="vgi-bug">Problem:</h4>
+  <p>CWE-125 Out-of-bounds Read <a href=
+                                   "https://cwe.mitre.org/data/definitions/CWE-125" target=
+                                   "_blank"><small>CWE-125</small></a><br></p>
+</div>
+<div id="impact">
+  <h4 class="vgi-impact">Impact:</h4>
+  <p>CAPEC-540 Overread Buffers <a href=
+                                   "https://capec.mitre.org/data/definitions/CAPEC-540" target=
+                                   "_blank"><small>CAPEC-540</small></a><br></p>
+</div>
+<div id="status">
+  <h4>Affected Product Status:</h4>
+  <table class="tbl gap">
+    <colgroup>
+      <col>
+      <col class="affectedCol"></colgroup>
+    <thead>
+      <tr>
+        <th>Product</th>
+        <th>Affected</th>
+      </tr>
+    </thead>
+    <tbody>
+      <tr>
+        <td rowspan="1"><b class="vgi-package">Rapid7 Velociraptor</b>
+          <span>» PE Parser, OLE parser, Authenticode parser</span> <i>on</i>
+          <span class="vgi-stack">Windows</span><br>
+          <a class="vgi-package" href=
+             "https://github.com/Velocidex/velociraptor/releases">package
+            repo</a><a class="vgi-ext" href=
+                       "https://github.com/Velocidex/velociraptor/">source repo</a><br>
+          <span class="vgi-impact">Default status is unaffected</span></td>
+        <td>before 0.6.8<br></td>
+      </tr>
+    </tbody>
+  </table>
+  <br style="font-size:0;"></div>
+<div id="solution">
+  <h4 class="vgi-safe">Solution:</h4>
+  <p>Upgrade the clients to version 0.6.8-2</p>
+</div>
+<div class="rnd pad sec vgap" id="credits">
+  <h4 class="vgi-like">Credits:</h4>
+  <p>Thanks to b1tg https://github.com/b1tg for reporting these
+    issues and providing samples that trigger the crashes</p>
+</div>

content/announcements/2023-cves/_index.md

@@ -18,6 +18,9 @@ If you use multiple roles with your Velociraptor GUI users, we
 recommend to upgrade your server to the 0.6.7-5 release. These issues
 do not affect clients so there is no need to upgrade clients.
 
+## CVE-2023-2226  Velociraptor crashes while parsing some malformed PE or OLE files.
+{{< include-html "CVE-2023-2226.html" >}}
+
 ## CVE-2023-0242  Insufficient Permission Check In The VQL Copy() Function
 {{< include-html "CVE-2023-0242.html" >}}
 

content/vql_reference/basic/copy/_index.md

@@ -25,6 +25,10 @@ dest|The destination file to write.|string (required)
 permissions|Required permissions (e.g. 'x').|string
 append|If true we append to the target file otherwise truncate it|bool
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">FILESYSTEM_WRITE</i>
+<i class="linkcolour label pull-right label-success">FILESYSTEM_READ</i>
+
 ### Description
 
 Copy a file.

content/vql_reference/basic/environ/_index.md

@@ -21,6 +21,9 @@ Arg | Description | Type
 ----|-------------|-----
 var|Extract the var from the environment.|string (required)
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">MACHINE_STATE</i>
+
 ### Description
 
 Get an environment variable.

content/vql_reference/basic/expand/_index.md

@@ -21,6 +21,9 @@ Arg | Description | Type
 ----|-------------|-----
 path|A path with environment escapes|string (required)
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">MACHINE_STATE</i>
+
 ### Description
 
 Expand the path using the environment.

content/vql_reference/basic/getpid/_index.md

@@ -14,6 +14,9 @@ no_edit: true
 <span class='vql_type pull-right page-header'>Function</span>
 
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">MACHINE_STATE</i>
+
 ### Description
 
 Returns the current pid of the Velociraptor process.

content/vql_reference/basic/killkillkill/_index.md

@@ -21,6 +21,9 @@ Arg | Description | Type
 ----|-------------|-----
 client_id||string (required)
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">MACHINE_STATE</i>
+
 ### Description
 
 Kills the client and forces a restart - this is very aggressive!

content/vql_reference/basic/read_file/_index.md

@@ -24,6 +24,9 @@ offset|Where to read from the file.|int64
 filename|One or more files to open.|OSPath (required)
 accessor|An accessor to use.|string
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">FILESYSTEM_READ</i>
+
 ### Description
 
 Read a file into a string.

content/vql_reference/basic/tempdir/_index.md

@@ -21,6 +21,9 @@ Arg | Description | Type
 ----|-------------|-----
 remove_last|If set we delay removal as much as possible.|bool
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">FILESYSTEM_WRITE</i>
+
 ### Description
 
 Create a temporary directory. The directory will be removed when the query ends.

content/vql_reference/basic/unzip/_index.md

@@ -24,6 +24,10 @@ accessor|The accessor to use|string
 filename_filter|Only extract members matching this filter.|string
 output_directory|Where to unzip to|string (required)
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">FILESYSTEM_WRITE</i>
+<i class="linkcolour label pull-right label-success">FILESYSTEM_READ</i>
+
 ### Description
 
 Unzips a file into a directory

content/vql_reference/basic/upload_sftp/_index.md

@@ -28,6 +28,9 @@ privatekey|The private key to use|string (required)
 endpoint|The Endpoint to use including port number (e.g. 192.168.1.1:22 )|string (required)
 hostkey|Host key to verify. Blank to disable|string
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">FILESYSTEM_READ</i>
+
 ### Description
 
 Upload files to SFTP.

content/vql_reference/basic/upload_webdav/_index.md

@@ -28,6 +28,9 @@ basic_auth_password|The password to use in HTTP basic auth|string
 noverifycert|Skip TLS Verification (deprecated in favor of SkipVerify)|bool
 skip_verify|Skip TLS Verification|bool
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">FILESYSTEM_READ</i>
+
 ### Description
 
 Upload files to a WebDAV server.

content/vql_reference/event/send_event/_index.md

@@ -22,6 +22,10 @@ Arg | Description | Type
 artifact|The artifact name to send the event to.|string (required)
 row|The row to send to the artifact|ordereddict.Dict (required)
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">SERVER_ADMIN</i>
+<i class="linkcolour label pull-right label-success">PUBLISH</i>
+
 ### Description
 
 Sends an event to a server event monitoring queue.

content/vql_reference/event/watch_csv/_index.md

@@ -26,6 +26,9 @@ separator|Comma separator (default ',')|string
 comment|The single character that should be considered a comment|string
 columns|The columns to use|list of string
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">FILESYSTEM_READ</i>
+
 ### Description
 
 Watch a CSV file and stream events from it. Note: This is an event

content/vql_reference/event/watch_evtx/_index.md

@@ -23,6 +23,9 @@ filename|A list of event log files to parse.|list of OSPath (required)
 accessor|The accessor to use.|string
 messagedb|A Message database from https://github.com/Velocidex/evtx-data.|string
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">FILESYSTEM_READ</i>
+
 ### Description
 
 Watch an EVTX file and stream events from it.

content/vql_reference/event/watch_monitoring/_index.md

@@ -21,6 +21,9 @@ Arg | Description | Type
 ----|-------------|-----
 artifact|The artifact to watch|string
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">READ_RESULTS</i>
+
 ### Description
 
 Watch clients' monitoring log. This is an event plugin. This

content/vql_reference/event/watch_syslog/_index.md

@@ -23,6 +23,9 @@ filename|A list of log files to parse.|list of OSPath (required)
 accessor|The accessor to use.|string
 buffer_size|Maximum size of line buffer.|int
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">FILESYSTEM_READ</i>
+
 ### Description
 
 Watch a syslog file and stream events from it. 

content/vql_reference/linux/audit/_index.md

@@ -14,6 +14,9 @@ no_edit: true
 <span class='vql_type pull-right page-header'>Plugin</span>
 
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">MACHINE_STATE</i>
+
 ### Description
 
 Register as an audit daemon in the kernel.

content/vql_reference/misc/client_create/_index.md

@@ -26,6 +26,9 @@ os|What type of OS this is (default offline)|string
 hostname|The hostname of the system|string
 client_id|if set we use this client id otherwise we make a new one|string
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">SERVER_ADMIN</i>
+
 ### Description
 
 Create a new client in the data store.

content/vql_reference/misc/create_notebook_download/_index.md

@@ -21,6 +21,9 @@ Arg | Description | Type
 ----|-------------|-----
 notebook_id|Client ID to export.|string (required)
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">PREPARE_RESULTS</i>
+
 ### Description
 
 Creates a notebook export zip file.

content/vql_reference/misc/delete_events/_index.md

@@ -25,6 +25,9 @@ start_time|Start time to be deleted|time.Time
 end_time|End time to be deleted|time.Time
 really_do_it|If not specified, just show what files will be removed|bool
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">SERVER_ADMIN</i>
+
 ### Description
 
 Delete all the files that make up a flow.

content/vql_reference/misc/delete_flow/_index.md

@@ -22,6 +22,9 @@ Arg | Description | Type
 client_id||string (required)
 flow_id||string
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">SERVER_ADMIN</i>
+
 ### Description
 
 Delete all the files that make up a flow.

content/vql_reference/misc/efivariables/_index.md

@@ -23,6 +23,9 @@ namespace|Variable namespace.|string
 name|Variable name|string
 value|Read variable value|bool
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">MACHINE_STATE</i>
+
 ### Description
 
 Enumerate efi variables.

content/vql_reference/misc/flow_logs/_index.md

@@ -22,6 +22,9 @@ Arg | Description | Type
 flow_id|The flow id to read.|string (required)
 client_id|The client id to extract|string (required)
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">READ_RESULTS</i>
+
 ### Description
 
 Retrieve the query logs of a flow.

content/vql_reference/misc/get_flow/_index.md

@@ -22,6 +22,10 @@ Arg | Description | Type
 client_id||string (required)
 flow_id||string
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">COLLECT_CLIENT</i>
+<i class="linkcolour label pull-right label-success">COLLECT_SERVER</i>
+
 ### Description
 
 Gets flow details.

content/vql_reference/misc/hunt_delete/_index.md

@@ -22,6 +22,9 @@ Arg | Description | Type
 hunt_id||string (required)
 really_do_it||bool
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">SERVER_ADMIN</i>
+
 ### Description
 
 Delete a hunt. 

content/vql_reference/misc/hunt_update/_index.md

@@ -24,6 +24,9 @@ stop|Stop the hunt|bool
 start|Start the hunt|bool
 description|Update hunt description|string
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">START_HUNT</i>
+
 ### Description
 
 Update a hunt.

content/vql_reference/misc/mail/_index.md

@@ -32,6 +32,9 @@ auth_password|The SMTP username password we use to authenticate to the server.|s
 skip_verify|Skip SSL verification(default: False).|bool
 root_ca|As a better alternative to disable_ssl_security, allows root ca certs to be added here.|string
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">SERVER_ADMIN</i>
+
 ### Description
 
 Send Email to a remote server.

content/vql_reference/misc/monitoring_logs/_index.md

@@ -25,6 +25,9 @@ source|An optional named source within the artifact|string
 start_time|Start return events from this date (for event sources)|Any
 end_time|Stop end events reach this time (event sources).|Any
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">READ_RESULTS</i>
+
 ### Description
 
 Retrieve log messages from client event monitoring for the specified client id and artifact

content/vql_reference/misc/org_create/_index.md

@@ -22,6 +22,9 @@ Arg | Description | Type
 name|The name of the org.|string (required)
 org_id|An ID for the new org (if not set use a random ID).|string
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">ORG_ADMIN</i>
+
 ### Description
 
 Creates a new organization.

content/vql_reference/misc/org_delete/_index.md

@@ -21,6 +21,9 @@ Arg | Description | Type
 ----|-------------|-----
 org|The org ID to delete.|string (required)
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">ORG_ADMIN</i>
+
 ### Description
 
 Deletes an Org from the server.

content/vql_reference/misc/pe_dump/_index.md

@@ -23,6 +23,9 @@ pid|The pid to dump.|uint64 (required)
 base_offset|The offset in the file for the base address.|int64 (required)
 in_memory|By default we store to a tempfile and return the path. If this option is larger than 0, we prepare the file in a memory buffer at the specified limit, to avoid AV alerts on disk access.|uint64
 
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">MACHINE_STATE</i>
+
 ### Description
 
 Dump a PE file from process memory.