CyberArk EPM Privilege Escalation Vulnerability - CVE-2018-13052

CyberArk EPM Privilege Escalation Vulnerability - CVE-2018-13052

- 1 min

Hi everybody, today I just want to talk about CyberArk EPM Privilege Escalation vulnerability (CVE-2018-13052).

Actually CyberArk made awesome product - at least in theoretically -. Companies can arrange privileges from one single console.

It has a lot of options to arrange privileges. For example, you can set a specific application to elevate but at the same time, you can block the child processes to avoid from bad users which try to jump another processes and start them as an admin.

These features are lifesaving actually. I need to admit it. 

CyberArk EPM Privilege Escalation Vulnerability - CVE-2018-13052

I found a vulnerability inside of the crucial points of the EPM which is called Child Process Protection.

An user, can bypass the child process protection and execute a child process as an admin.

If there is an elevated application -open dialog box needed- by CyberArk, user can steal the token of the process and escalate privilege.

The vulnerability occurs because of the usage of inappropriate handling process technique.

I’ve found 5 different ways to bypass Child Process Protection. CyberArk should change their way to prevent these kind of attacks.

Here is how I did it;

https://www.youtube.com/watch?v=AoQLJ5jDk4A

https://www.youtube.com/watch?v=2d6yuMl3wJc

https://www.youtube.com/watch?v=8IB6cxWJoKs

https://www.youtube.com/watch?v=xYRbXBPubaw

https://www.youtube.com/watch?v=Q7SLYkRGNnw

rss facebook twitter github mail instagram linkedin
rss facebook twitter github mail instagram linkedin