During a recent customer engagement, the CyberArk Red Team discovered and exploited an Elevation of Privilege (EoP) vulnerability (
Для просмотра ссылки Войди или Зарегистрируйся) in Delinea Privilege Manager (formerly Thycotic Privilege Manager). This vulnerability allowed an unprivileged user to execute arbitrary code as SYSTEM. CyberArk responsibly disclosed this vulnerability to Delinea, including the exploit proof of concept (POC) code, as part of our commitment to contributing to the security community.
Analyzing CVE-2024-39708
Delinea Privilege Manager for Windows prior to version 12.0.1096 is susceptible to a dynamic-link library (DLL) search order hijacking vulnerability, which allows an unprivileged user to execute arbitrary code as SYSTEM.
After the agent service starts, it attempts to load
httpapi.dll in order from the following paths:
- C:\Windows\Temp\Arellia\AmsAgent\Cache\ArelliaAgent\assembly\dl3\7f9cbee9\00bbcf35_70d5d901\
- C:\Program Files\Thycotic\Agents\Agent\
- C:\Windows\System32\
As shown in Figure 1, the agent service successfully loads
httpapi.dll from the
System32 directory after failing to locate the DLL in the Windows temp and application installation directories.
Figure 1: DLL Search Order – Agent Service httpapi.dll
By default, Windows grants unprivileged users permission to write files and folders to
C:\Windows\Temp, and unless otherwise specified, this default discretionary access control list (DACL) is inherited by subdirectories. As shown in Figure 2, due to the inherited DACL, the Users group can write files and folders in
C:\Windows\Temp\Arellia\AmsAgent\Cache\ArelliaAgent\assembly\dl3\7f9cbee9\00bbcf35_70d5d901.
Figure 2: Users Permissions
C:\Windows\Temp\Arellia\AmsAgent\Cache\ArelliaAgent\assembly\dl3\7f9cbee9\00bbcf35_70d5d901
Due to the weak DACL, unprivileged users can plant a custom
httpapi.dll binary in the directory so that the DLL is found and loaded when the service restarts, resulting in the execution of arbitrary code as SYSTEM.
Figure 3: DLL Search Order Hijack
Figure 4: Execution as SYSTEM
The agent service does not permit unprivileged users to restart it manually; however, we can force the service to restart and subsequently load our DLL by rebooting the system or using a clever trick with some MSI installations. Even if the
NoModify setting is configured, which disables any installation modification via the Apps & Features Windows settings, the installation repair action can be executed using either the cached installation package or the installation product code.
When software is installed using an MSI package, Windows caches the package in the
C:\Windows\Installer directory with an alphanumeric file name selected by the Windows Installer. We can execute the repair action on the command line by identifying the cached package for the target installation, for example, by the file
Author and Subject attributes.
Figure 5: C:\Windows\Installer
Figure 6: MSI Repair Installation
Alternatively, the installation product code can be retrieved from the WMI database or Windows registry, and the repair action can be executed either via the command line or the
Application Installation and Servicing Win32 API.
Figure 7: WMI Get Installation Product Code
Figure 8: MSI Repair Installation by Product Code
Для просмотра ссылки Войди или Зарегистрируйся
