CyberArk Endpoint Manager Local Privilege Escalation CVE-2021–44049.
On 25.10.2021 I reported a Local Privilege escalation vulnerability on CyberArk EPM which is used to help organization in enforcing least privileges, reducing the risk of information being stolen and block attacks on the organization endpoints.
CyberArk EPM is offered for both “on-prem” and SaaS(Cloud) versions. The vulnerability affected all versions. A fix was released to public on 20.12.2021 https://www.cyberark.com/ca21-34/.
Cloud customers got their fix applied by CyberArk and no action needs to be taken for this matter, however ON-PREM customers will need to update their software manually.
Technical Details:
The CyberArk EPM contains the “Get Support Info” menu in order to get the system information and background processes while errors happen.
One of the options that a user can tick is the “Process Monitor recording session”, which will run the popular “Procmon” software to monitor the running processes on the system. This will require the EPM Admin to enable the “Support mode” from the Administration panel. If “Support mode” is not enabled, a UAC window will appear that requires an Administrator User account.
Once “Support Mode” is enabled, a low-privileged user can run Process Monitoring session, and no UAC window will be displayed.
The issue resides on that for some reason the Procmon which is running with elevated permissions, is launched from the user Temp Directory, allowing the user to replace the Procmon binary to any other binary which will run elevated.
However, when I tried to replace the “Procmon.exe” binary to CMD, I got an error “The Process Monitoring tool could not be verified” that is probably failing because of a Checksum.
Later on while digging deeper into this, I found out that when pressing on the “Record” button, a new binary appear in the user temp directory called “Procmon64.exe”.
That reveals when the recording session starts, the “Procmon.exe” launches the “Procmon64.exe” with the elevated permissions.
I have then replaced the “Procmon64.exe” to CMD executable, and that worked! no check-sum on “Procmon64.exe” , allowing to run an elevated CMD, and getting a local Privilege escalation on the system.