CyberArk EPM Privilege Escalation Vulnerability – CVE-2018-13052 2

Hi everybody, today I just want to talk about CyberArk EPM Privilege Escalation vulnerability (CVE-2018-13052).

Actually CyberArk made awesome product – at least in theoretically -. Companies can arrange privileges from one single console.

It has a lot of options to arrange privileges. For example, you can set a specific application to elevate but at the same time, you can block the child processes to avoid from bad users which try to jump another processes and start them as an admin.

These features are lifesaving actually. I need to admit it. 

CyberArk EPM Privilege Escalation Vulnerability – CVE-2018-13052

I found a vulnerability inside of the crucial points of the EPM which is called Child Process Protection.

An user, can bypass the child process protection and execute a child process as an admin.

If there is an elevated application -open dialog box needed- by CyberArk, user can steal the token of the process and escalate privilege.

The vulnerability occurs because of the usage of inappropriate handling process technique.

I’ve found 5 different ways to bypass Child Process Protection. CyberArk should change their way to prevent these kind of attacks.

Here is how I did it;