CyberArk Enterprise Password Vault – XML External Entity (XXE) Injection

-----------Product description
The CyberArk Enterprise Password Vault is a privileged access security solution to store, monitor and rotate credentials. The main objective of the solution is protecting the privileged accounts that are used to administrate the systems of the organisations.

-----------Vulnerability description
This vulnerability allows remote attackers to disclose sensitive information or potentially bypass the authentication system.

-----------Vulnerability Details
# Exploit Title: XML External Entity (XXE) Injection in SAML authentication
# Affected Component: Password Vault Web Access (PVWA)
# Affected Version: <=10.7
# Vendor: CyberArk
# Vendor Homepage: https://www.cyberark.com
# Date: 18/12/2018
# CVSS Base Score: 7.5 (High)
# CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
# Exploit Author: Marcelo Torán (Nixu Corporation)
# CVE: CVE-2019-7442
# CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7442

-----------Technical Description
It has been found that the XML parser of the SAML authentication system of the Password Vault Web Access (PVWA) is vulnerable to XML External Entity (XXE) attacks via a crafted DTD. No user interaction or privileges are required as the vulnerability is triggered in pre-authentication.
The vulnerable component is: https://example.com/PasswordVault/auth/saml
The vulnerable argument: SAMLResponse

-----------Timeline
18/12/2018 – Vulnerability discovered
10/01/2019 – Vendor notified
23/01/2019 – Vulnerability accepted
05/02/2019 – CVE number requested
05/02/2019 – CVE number assigned
19/02/2019 – Vendor released a patch
19/02/2019 – Advisory released

-----------Proof of Concept (PoC)

Violent Rapberry Pi Zero: Configuration – Part 1

As it’s possible to configure the USB port of the Raspberry Pi Zero as an Ethernet (also  HID, hard drive) device, we will try to imitate the USB Armory attacks in a cheaper open-source hardware.

Objectives Part 1:  Configure the Pi to enable the USB Ethernet and connect trough SSH.

We will follow the instructions to modify the image:

  1. Flash Raspbian Jessie onto the SD card.
  2. In the boot partition:
    • config.txt  -(Add)–> dtoverlay=dwc2
    • cmdline.txt -(Add after rootwait)–> modules-load=dwc2,g_ether

In this case we will connect through the serial port to the Raspberry Pi to check the IP, as we can not SSH into it using the raspberrypi.local address. (and because we can 😀 )

We will connect with the Bus Pirate tool to the UART port.

Check the color of the UART wires (gray and black):

Bus Pirate Pinout diagram (take care as the color of the wires depends on the way it was soldered)

Check the Pins of the UART protocol (GPIO 14 and 15):

GPIO
Raspberry Pi Zero Pinout diagram

 

Connection resume:
  • Bus Pirate Red wire      –> RPI Pin #3 (3.3V)
  • Bus Pirate Black wire   –> RPI Pin #8 (GPIO14)
  • Bus Pirate Gray wire     –> RPI Pin #10 (GPIO15)
  • Bus Pirate Brown wire  –> RPI Pin #34 (GND)
Bus Pirate –  Raspberry connection

UART connection through Bus Pirate and SSH through USB0 interface:

Actually the simplest way is to edit the dhcpcd.conf file after flashing the SD:

Add the static IP configuration in the Raspberry Pi (/etc/dhcpcd.conf):
interface usb0
static ip_address=169.254.64.64

Add the static IP configuration in the host:
169.254.64.65
255.255.0.0
169.254.64.64