Added CVE-2023-5950

content/_index.md

@@ -21,6 +21,11 @@ carousel:
 
 ---
 
+{{% notice warning "CVE-2023-5950 published on 2023-11-06" %}}
+Please upgrade your servers to mitigate `CVE-2023-5950` to at least release `0.7.0-4` or `0.6.9-1`.
+
+[More details](/announcements/2023-cves/)
+{{% /notice %}}
 
 ## Velociraptor - Digging Deeper!
 

content/announcements/2023-cves/CVE-2023-5950.html

@@ -0,0 +1,86 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta name="generator" content=
+          "HTML Tidy for HTML5 for Linux version 5.6.0">
+      <title></title>
+    </head>
+    <body>
+      <p><span>Published</span> on 2023-11-06</p>
+      <details class="popup">
+        <summary class="lbl rnd sec CVSS HIGH">CVSS · HIGH ·
+        8.6<sub>⁄10</sub> <span style="font-size:0px;opacity:0">·
+        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L</span></summary>
+        <div class="pop wht rnd shd pad bor"><span>Scoring scenario:</span>
+        GENERAL
+        <div>attackVector: <b>NETWORK</b></div>
+        <div>attackComplexity: <b>LOW</b></div>
+        <div>privilegesRequired: <b>NONE</b></div>
+        <div>userInteraction: <b>NONE</b></div>
+        <div>scope: <b>UNCHANGED</b></div>
+        <div>confidentialityImpact: <b>HIGH</b></div>
+        <div>integrityImpact: <b>LOW</b></div>
+        <div>availabilityImpact: <b>LOW</b></div>
+        <div><a class="vgi-dial" href=
+                "https://cvss.js.org/#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
+                target="_blank">Open CVSS Calc</a></div>
+        </div>
+      </details>
+      <div id="description">
+        <p>Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a
+        reflected cross site scripting vulnerability. This vulnerability
+        allows attackers to inject JS into the error path, potentially
+        leading to unauthorized execution of scripts within a user's web
+        browser.&nbsp;This vulnerability is fixed in version 0.7.0-4 and
+        a patch is available to download. Patches are also
+        available for version 0.6.9 (0.6.9-1)<br>
+
+        This issue affects the server only.
+        <br></p>
+      </div>
+      <div id="problem">
+        <h2>Problem:</h2>
+        <p>CWE-79 Improper Neutralization of Input During Web Page
+        Generation ('Cross-site Scripting') <a href=
+        "https://cwe.mitre.org/data/definitions/CWE-79" target=
+        "_blank"><small>CWE-79</small></a><br></p>
+      </div>
+      <div id="status">
+        <h2>Product Status:</h2>
+        <table class="striped">
+          <colgroup>
+            <col>
+              <col class="affectedCol"></colgroup>
+              <thead>
+                <tr>
+                  <th>Product</th>
+                  <th>Affected</th>
+                </tr>
+              </thead>
+              <tbody>
+                <tr>
+                  <td rowspan="1"><b class="vgi-package">Rapid7 Velociraptor</b></td>
+                  <td>before 0.7.0-4</td>
+                </tr>
+              </tbody>
+            </table>
+            <br style="font-size:0;"></div>
+            <div class="rnd pad sec vgap" id="credits">
+              <h2>Credits:</h2>
+              <p>Mathias Kujala</p>
+            </div>
+            <div id="references">
+              <h2>References</h2>
+              <div><a href=
+                      "https://docs.velociraptor.app/blog/2023/2023-07-27-release-notes-0.7.0/">
+              docs.velociraptor.app/blog/2023/2023-07-27-release-notes-0.7.0/</a></div>
+            </div>
+            <div id="timeline">
+              <h2>Timeline:</h2>
+              <ul>
+                <li>2023-11-02 - Notification of the issue</li>
+                <li>2023-11-06 - Release 0.7.0-4 made available on Github</li>
+              </ul>
+            </div>
+          </body>
+        </html>

content/announcements/2023-cves/_index.md

@@ -10,20 +10,23 @@ noTitle: true
 
 ---
 
-The following CVEs were reported with the current 0.6.7 release. Both
-Vulnerabilities can result in privilege escalation from low privilege
-"investigator" Velociraptor users to "administrator" level.
+The following CVEs were reported in 2023. Please upgrade to the
+current release which is 0.7.0-4
 
-If you use multiple roles with your Velociraptor GUI users, we
-recommend to upgrade your server to the 0.6.7-5 release. These issues
-do not affect clients so there is no need to upgrade clients.
+## CVE-2023-5950  Rapid7 Velociraptor Reflected XSS.
+{{< include-html "CVE-2023-5950.html" >}}
+
+<hr/>
 
 ## CVE-2023-2226  Velociraptor crashes while parsing some malformed PE or OLE files.
 {{< include-html "CVE-2023-2226.html" >}}
 
+<hr/>
+
 ## CVE-2023-0242  Insufficient Permission Check In The VQL Copy() Function
 {{< include-html "CVE-2023-0242.html" >}}
 
+<hr/>
 
 ## CVE-2023-0290 Directory Traversal In Client Id Parameter
 {{< include-html "CVE-2023-0290.html" >}}

content/vql_reference/event/watch_evtx/_index.md

@@ -22,6 +22,7 @@ Arg | Description | Type
 filename|A list of event log files to parse.|list of OSPath (required)
 accessor|The accessor to use.|string
 messagedb|A Message database from https://github.com/Velocidex/evtx-data.|string
+workers|If specified we use this many workers to parse the file in parallel (default 1).|int64
 
 Required Permissions: 
 <i class="linkcolour label pull-right label-success">FILESYSTEM_READ</i>

content/vql_reference/misc/_index.md

@@ -27,6 +27,7 @@ Miscellaneous plugins not yet categorized.
 |[hunt_delete](hunt_delete)|<span class='vql_type'>Plugin</span>|Delete a hunt|
 |[hunt_update](hunt_update)|<span class='vql_type'>Function</span>|Update a hunt|
 |[leveldb](leveldb)|<span class='vql_type'>Plugin</span>|Enumerate all items in a level db database|
+|[logging](logging)|<span class='vql_type'>Plugin</span>|Watch the logs emitted by the server|
 |[logscale_upload](logscale_upload)|<span class='vql_type'>Plugin</span>|Upload rows to LogScale ingestion server|
 |[lru](lru)|<span class='vql_type'>Function</span>|Creates an LRU object|
 |[lzxpress_decompress](lzxpress_decompress)|<span class='vql_type'>Function</span>|Decompress an lzxpress blob|
@@ -54,10 +55,13 @@ Miscellaneous plugins not yet categorized.
 |[profile_memory](profile_memory)|<span class='vql_type'>Plugin</span>|Enumerates all in use memory within the runtime|
 |[pskill](pskill)|<span class='vql_type'>Function</span>|Kill the specified process|
 |[query](query)|<span class='vql_type'>Plugin</span>|Evaluate a VQL query|
+|[read_crypto_file](read_crypto_file)|<span class='vql_type'>Plugin</span>|Read a previously stored encrypted local storage file|
 |[rekey](rekey)|<span class='vql_type'>Function</span>|Causes the client to rekey and regenerate a new client ID|
 |[remap](remap)|<span class='vql_type'>Function</span>|Apply a remapping configuration to the root scope|
 |[repack](repack)|<span class='vql_type'>Function</span>|Repack and upload a repacked binary or MSI to the server|
 |[server_frontend_cert](server_frontend_cert)|<span class='vql_type'>Function</span>|Get Server Frontend Certificate|
+|[sigma](sigma)|<span class='vql_type'>Plugin</span>|Evaluate sigma rules|
+|[sigma_log_sources](sigma_log_sources)|<span class='vql_type'>Function</span>|Constructs a Log sources object to be used in sigma rules|
 |[sysinfo](sysinfo)|<span class='vql_type'>Function</span>|Collect system information on Linux clients|
 |[tlsh_hash](tlsh_hash)|<span class='vql_type'>Function</span>|Calculate the tlsh hash of a file|
 |[trace](trace)|<span class='vql_type'>Function</span>|Upload a trace file|
@@ -66,4 +70,5 @@ Miscellaneous plugins not yet categorized.
 |[user](user)|<span class='vql_type'>Function</span>|Retrieves information about the Velociraptor user|
 |[user_grant](user_grant)|<span class='vql_type'>Function</span>|Grants the user the specified roles|
 |[vfs_ls](vfs_ls)|<span class='vql_type'>Plugin</span>|List directory and build a VFS object|
+|[write_crypto_file](write_crypto_file)|<span class='vql_type'>Plugin</span>|Write a query into an encrypted local storage file|
 |[write_jsonl](write_jsonl)|<span class='vql_type'>Plugin</span>|Write a query into a JSONL file|

content/vql_reference/misc/logging/_index.md

@@ -0,0 +1,30 @@
+---
+title: logging
+index: true
+noTitle: true
+no_edit: true
+---
+
+
+
+<div class="vql_item"></div>
+
+
+## logging
+<span class='vql_type pull-right page-header'>Plugin</span>
+
+
+
+<div class="vqlargs"></div>
+
+Arg | Description | Type
+----|-------------|-----
+component||string
+
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">READ_RESULTS</i>
+
+### Description
+
+Watch the logs emitted by the server.
+

content/vql_reference/misc/read_crypto_file/_index.md

@@ -0,0 +1,30 @@
+---
+title: read_crypto_file
+index: true
+noTitle: true
+no_edit: true
+---
+
+
+
+<div class="vql_item"></div>
+
+
+## read_crypto_file
+<span class='vql_type pull-right page-header'>Plugin</span>
+
+
+
+<div class="vqlargs"></div>
+
+Arg | Description | Type
+----|-------------|-----
+filename|Path to the file to write|OSPath (required)
+
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">FILESYSTEM_READ</i>
+
+### Description
+
+Read a previously stored encrypted local storage file.
+

content/vql_reference/misc/sigma/_index.md

@@ -0,0 +1,32 @@
+---
+title: sigma
+index: true
+noTitle: true
+no_edit: true
+---
+
+
+
+<div class="vql_item"></div>
+
+
+## sigma
+<span class='vql_type pull-right page-header'>Plugin</span>
+
+
+
+<div class="vqlargs"></div>
+
+Arg | Description | Type
+----|-------------|-----
+rules|A list of sigma rules to compile.|list of string (required)
+log_sources|A log source object as obtained from the sigma_log_sources() VQL function.|Any (required)
+field_mapping|A dict containing a mapping between a rule field name and a VQL Lambda to get the value of the field from the event.|ordereddict.Dict
+debug|If enabled we emit all match objects with description of what would match.|bool
+rule_filter|If specified we use this callback to filter the rules for inclusion.|Lambda
+default_details|If specified we use this callback to determine a details column if the sigma rule does not specify it.|Lambda
+
+### Description
+
+Evaluate sigma rules.
+

content/vql_reference/misc/sigma_log_sources/_index.md

@@ -0,0 +1,20 @@
+---
+title: sigma_log_sources
+index: true
+noTitle: true
+no_edit: true
+---
+
+
+
+<div class="vql_item"></div>
+
+
+## sigma_log_sources
+<span class='vql_type pull-right page-header'>Function</span>
+
+
+### Description
+
+Constructs a Log sources object to be used in sigma rules. Call with args being category/product/service and values being stored queries. You may use a * as a placeholder for any of these fields.
+

content/vql_reference/misc/write_crypto_file/_index.md

@@ -0,0 +1,34 @@
+---
+title: write_crypto_file
+index: true
+noTitle: true
+no_edit: true
+---
+
+
+
+<div class="vql_item"></div>
+
+
+## write_crypto_file
+<span class='vql_type pull-right page-header'>Plugin</span>
+
+
+
+<div class="vqlargs"></div>
+
+Arg | Description | Type
+----|-------------|-----
+filename|Path to the file to write|OSPath (required)
+query|query to write into the file.|StoredQuery (required)
+max_wait|How often to flush the file (default 60 sec).|uint64
+max_rows|How many rows to buffer before writing (default 1000).|uint64
+max_size|When the file grows to this size, truncate it (default 1Gb).|uint64
+
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">FILESYSTEM_WRITE</i>
+
+### Description
+
+Write a query into an encrypted local storage file.
+

content/vql_reference/parsers/parse_evtx/_index.md

@@ -22,6 +22,7 @@ Arg | Description | Type
 filename|A list of event log files to parse.|list of OSPath (required)
 accessor|The accessor to use.|string
 messagedb|A Message database from https://github.com/Velocidex/evtx-data.|string
+workers|If specified we use this many workers to parse the file in parallel (default 1).|int64
 
 Required Permissions: 
 <i class="linkcolour label pull-right label-success">FILESYSTEM_READ</i>

content/vql_reference/plugin/_index.md

@@ -55,6 +55,7 @@ or in condition clauses (i.e. after the `WHERE` keyword).
 |[js_set](js_set)|<span class='vql_type'>Function</span>|Set a variables value in the JS VM|
 |[magic](magic)|<span class='vql_type'>Function</span>|Identify a file using magic rules|
 |[netcat](netcat)|<span class='vql_type'>Plugin</span>|Make a tcp connection and read data from a socket|
+|[netstat](netstat)|<span class='vql_type'>Plugin</span>|Collect network information|
 |[pathspec](pathspec)|<span class='vql_type'>Function</span>|Create a structured path spec to pass to certain accessors|
 |[pipe](pipe)|<span class='vql_type'>Function</span>|A pipe allows plugins that use files to read data from a vql|
 |[profile](profile)|<span class='vql_type'>Plugin</span>|Returns a profile dump from the running process|

content/vql_reference/plugin/netstat/_index.md

@@ -0,0 +1,23 @@
+---
+title: netstat
+index: true
+noTitle: true
+no_edit: true
+---
+
+
+
+<div class="vql_item"></div>
+
+
+## netstat
+<span class='vql_type pull-right page-header'>Plugin</span>
+
+
+Required Permissions: 
+<i class="linkcolour label pull-right label-success">MACHINE_STATE</i>
+
+### Description
+
+Collect network information.
+

content/vql_reference/plugin/profile/_index.md

@@ -31,6 +31,7 @@ logs|Recent logs|bool
 queries|Recent Queries run|bool
 metrics|Collect metrics|bool
 duration|Duration of samples (default 30 sec)|int64
+type|The type of profile (this is a regex of debug output types that will be shown).|string
 
 Required Permissions: 
 <i class="linkcolour label pull-right label-success">MACHINE_STATE</i>

content/vql_reference/windows/_index.md

@@ -20,7 +20,6 @@ APIs. The following are only available when running on Windows.
 |[interfaces](interfaces)|<span class='vql_type'>Plugin</span>|List all active network interfaces using the API|
 |[lookupSID](lookupSID)|<span class='vql_type'>Function</span>|Get information about the SID|
 |[modules](modules)|<span class='vql_type'>Plugin</span>|Enumerate Loaded DLLs|
-|[netstat](netstat)|<span class='vql_type'>Plugin</span>|Collect network information|
 |[partitions](partitions)|<span class='vql_type'>Plugin</span>|List all partitions|
 |[proc_dump](proc_dump)|<span class='vql_type'>Plugin</span>|Dumps process memory|
 |[proc_yara](proc_yara)|<span class='vql_type'>Plugin</span>|Scan processes using yara rules|