wtorek, 26 czerwca 2018

Exploiting CyberArk 10.2.1.603

Some time ago I found few bugs in CyberArk (version 10.2.1.603). I think that because all of them are 'for logged-in users only' - maybe you will find it useful. ;) Few details below...

Let's start from the beginning:

1) open-redirect bug?

Maybe some 'feature'... but sending POST request to UserSets.aspx with the content presented below



will show you code 302 in Intruder's tab. I was wondering what will happen if I will setup Kali's Apache2 on port 9090 and send txtManagerSite param to that box (for /asd 'resource')...

Response from Burp:


...ok it wasn't Apache ;]

Cool. Next.


2) persistent XSS - account name - create token

I decided to create some 'Tokens' - results below:


If you're looking for a cool 'Account Name', this one should be good to start:


When I tried different 'payload', I saw something new in the background:


I think our token is created now:

;]

Last hint:





Next.


3) persistent XSS - VfManager.asmx -SeceltAccounts->DisplayName

Sending POST again:



Response:


Don't worry. ;> Let's check some of the 'Groups' - below:


;]

Next.

4) user's groups - ConfigurationPage

When you would like to check (those created) "user's groups" in your ConfigurationPage, you will find:


5) persistent XSS - "Dialog Title"




6) persistent XSS - Adding Group

 
Response:


...and...


...cookie in prompt(). Same results with prompt(1) (just for a 'better view' ;)):

 


Enough for now. ;]



Questions/comments?

Cheers,
Cody

o/


2 komentarze:

  1. so.. how to fix this?

    OdpowiedzUsuń
    Odpowiedzi
    1. Hi,

      well. "Stay up-to-date" like the Vendor said (https;//www, cyberark, com/product-security/)? ;)

      Thank you for watching. :)

      Cheers

      Usuń