Advisory: CyberArk Password Vault Web Access Remote Code Execution The CyberArk Password Vault Web Access application uses authentication tokens which consist of serialized .NET objects. By crafting manipulated tokens, attackers are able to gain unauthenticated remote code execution on the web server. Details ======= Product: CyberArk Password Vault Web Access Affected Versions: < 9.9.5, < 9.10, 10.1 Fixed Versions: 9.9.5, 9.10, 10.2 Vulnerability Type: Remote Code Execution Security Risk: high Vendor URL: https://www.cyberark.com/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-014 Advisory Status: published CVE: CVE-2018-9843 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9843 Introduction ============ "CyberArk Enterprise Password Vault is designed to secure, rotate and control access to privileged account credentials based on organizational policies. A flexible architecture allows organizations to start small and scale to the largest, most complex IT environments. The solution protects privileged account credentials used to access the vast majority of systems." (from the Enterprise Password Vault Data Sheet [1]) More Details ============ The CyberArk Password Vault provides secure storage for credentials. It may be accessed through various clients which are also provided by CyberArk. One such client is the CyberArk Password Vault Web Access, a .NET web application. After logging into the web application with their credentials, users may access credentials kept in the vault. Additionally, CyberArk Password Vault Web Access provides a REST API for programmatic access to the vault. This API is available at an URL similar to the following: https://10.0.0.6/PasswordVault/WebServices/ The API provides multiple endpoints with different methods. Most methods provided by the API require prior authentication. Consequently, a user's API call must include an authentication token in an HTTP authorization header. Tokens may be generated by calling a dedicated "Logon" API method. Analysis of this token by RedTeam Pentesting revealed, that it consists of a base64 encoded, serialized .NET object of the type "CyberArk.Services.Web.SessionIdentifiers". This class consists of four string attributes which hold information about a user's session. The integrity of the serialized data is not protected. Therefore, attackers may send arbitrary .NET objects to the API in the authorization header. By leveraging certain gadgets, such as the ones provided by ysoserial.net [2], attackers may execute arbitrary code in the context of the web application. Proof of Concept ================ First, a malicious serialized .NET object is created. Here the "TypeConfuseDelegate" gadget of ysoserial.net is used to execute the "ping" command:
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment