Exploit the possiblities

BMC Remedy LFI / RFI / XSS / Code Execution

BMC Remedy LFI / RFI / XSS / Code Execution
Posted Oct 19, 2017
Authored by Simon Rawet

BMC Remedy suffers from log hijacking, code execution, cross site scripting, local/remote file inclusion, and various other vulnerabilities.

tags | advisory, remote, local, vulnerability, code execution, xss, file inclusion
MD5 | 6a00391d6567c156d616b913657c8b20

BMC Remedy LFI / RFI / XSS / Code Execution

Change Mirror Download
Document Title
Multiple vulnerabilities in BMC Remedy

Reported By
Simon Rawet from Outpost24
Kristian Varnai from Outpost24

Vendor description
"Remedy Service Management Suite is an enterprise service management
platform built natively for mobile with an intuitive, people-centric
user experience that makes your whole organization more productive."
Source: http://www.bmc.com/it-solutions/remedy-itsm.html

Vulnerability Disclosure Timeline:
2017-07-14: Vulnerability details sent.
2017-07-14: Vendor: PGP key was rotated.
2017-07-15: Vulnerability details sent with their new PGP key.
2017-07-17: Vendor: Acknowledged received report.
2017-07-21: Vulnerability details sent for newly found vulnerabilities.
2017-07-25: Vendor: Response to first report (2017-07-15), see Vendor
Response section
2017-08-01: Vendor: Acknowledged receiving the second report
2017-08-04: Response to vendor response. 90 days deadline given.
2017-10-04: Request for update.

For any updates visit:

Remote and Local File Inclusion
The remedy system exposes the birt report engine, allowing for an
attacker to include arbitrary external or internal files. Due to the
lack of restrictions on what can be targeted, this opens up the system
for many potential attacks, such as system fingerprinting, internal port
scanning, SSRF, or remote code execution.

Internal Path Disclosure
The remedy system exposes the birt report engine, allowing for an
attacker to disclose the internal filepath through its verbose error
message, by including a non-existent file.

Cross-Site Scripting
A reflected cross-site scripting was discovered, affecting both
authenticated and unauthenticated users.

Cross-Site Script Include
BMC uses dynamically generated javascript to provide environmental
variables for the users, this could be included by a malicious
third-party site, and used to steal the CSRF token.

Log Hijacking
The remote logging of the remedy system can be accessed by
unauthenticated users, allowing for an attacker to hijack the system
logs. This data can include usernames, as well as HTTP data, including

Session Token Disclosure
Some HTTP responses include the value of the session token, allowing a
javascript to bypass the httponly flag on the session cookie and steal it.

Authenticated Code Execution
Authenticated users that have the right to create reports, can use the
birt templating to gain code execution. Access to this functionality
appears to be granted to all users by default.

Vendor Response
Remote and Local File Inclusion: vendor referred to a communities post
and existing CVEs; post claimed that the issue has been fixed in later
versions, however, testing confirms the vulnerability to still be
present; existing CVE misclassifies finding as a plain content
inclusion. We informed them of these issues; no response from vendor.

Internal Path Disclosure: vendor referred to a hotfix on their
communities page; however, this hotfix will not work. We informed them
of these issues; no response from vendor.

Cross-Site Scripting: vendor acknowledged vulnerability and stated plans
of fixing it.

Cross-Site Script Include: vendor acknowledged vulnerability and stated
that they are in the process of following up on it.

Log Hijacking: vendor acknowledged vulnerability and stated that access
to the offending service will be removed in later versions.

Session Token Disclosure: No response from vendor.

Authenticated Code Execution: No response from vendor.

Simon Rawet
Web Application Analyst
M: +46 708 474 323 | T: +46 455 612 323

Outpost24 - Vulnerability Management made easy
Outpost24 Sweden | Skeppsbrokajen 8 | 371 33, Karlskrona | Sweden


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

March 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    14 Files
  • 2
    Mar 2nd
    12 Files
  • 3
    Mar 3rd
    1 Files
  • 4
    Mar 4th
    3 Files
  • 5
    Mar 5th
    15 Files
  • 6
    Mar 6th
    23 Files
  • 7
    Mar 7th
    15 Files
  • 8
    Mar 8th
    15 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    2 Files
  • 11
    Mar 11th
    1 Files
  • 12
    Mar 12th
    16 Files
  • 13
    Mar 13th
    20 Files
  • 14
    Mar 14th
    12 Files
  • 15
    Mar 15th
    10 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By