Hi folks! I found an interesting vulnerability on CyberArk Endpoint Privilege Manager. CyberArk EPM file block bypass (CVE-2018-14894) is very easy -even you have slave privileges-.CyberArk EPM aims to manage privileges from one hand and prevent any harm with admin privileges.
How does CyberArk EPM work?
If user needs admin privileges, CyberArk gives the admin token to user for spesific process not for the whole system. It is cool idea.
This product also has a function called “Application Blacklist”. You probably know what that means.
It helps you to block to execute specified application by CyberArk admin. In normal cases, you can not be able to start this process even with admin rights.
But I found very interesting trick to makes CyberArk blind completely!All you need to do, revoke read privileges for system on the file that you want to open it.
After you do that, CyberArk EPM can not be able to get information about your blocked file and it just let them execute!
This exploit works on CyberArk EPM 10.2.1.603 and below. (Tested on Windows 10 x64)