Exploit the possiblities

BMC Remedy LFI / RFI / XSS / Code Execution

BMC Remedy LFI / RFI / XSS / Code Execution
Posted Oct 19, 2017
Authored by Simon Rawet

BMC Remedy suffers from log hijacking, code execution, cross site scripting, local/remote file inclusion, and various other vulnerabilities.

tags | advisory, remote, local, vulnerability, code execution, xss, file inclusion
MD5 | 6a00391d6567c156d616b913657c8b20

BMC Remedy LFI / RFI / XSS / Code Execution

Change Mirror Download
Document Title
==============
Multiple vulnerabilities in BMC Remedy

Reported By
===========
Simon Rawet from Outpost24
Kristian Varnai from Outpost24

Vendor description
==================
"Remedy Service Management Suite is an enterprise service management
platform built natively for mobile with an intuitive, people-centric
user experience that makes your whole organization more productive."
Source: http://www.bmc.com/it-solutions/remedy-itsm.html

Vulnerability Disclosure Timeline:
==================================
2017-07-14: Vulnerability details sent.
2017-07-14: Vendor: PGP key was rotated.
2017-07-15: Vulnerability details sent with their new PGP key.
2017-07-17: Vendor: Acknowledged received report.
2017-07-21: Vulnerability details sent for newly found vulnerabilities.
2017-07-25: Vendor: Response to first report (2017-07-15), see Vendor
Response section
2017-08-01: Vendor: Acknowledged receiving the second report
2017-08-04: Response to vendor response. 90 days deadline given.
2017-10-04: Request for update.

For any updates visit:
https://outpost24.com/bmc-remedy-vulnerabilities-identified



Remote and Local File Inclusion
===============================
The remedy system exposes the birt report engine, allowing for an
attacker to include arbitrary external or internal files. Due to the
lack of restrictions on what can be targeted, this opens up the system
for many potential attacks, such as system fingerprinting, internal port
scanning, SSRF, or remote code execution.


Internal Path Disclosure
========================
The remedy system exposes the birt report engine, allowing for an
attacker to disclose the internal filepath through its verbose error
message, by including a non-existent file.


Cross-Site Scripting
====================
A reflected cross-site scripting was discovered, affecting both
authenticated and unauthenticated users.


Cross-Site Script Include
=========================
BMC uses dynamically generated javascript to provide environmental
variables for the users, this could be included by a malicious
third-party site, and used to steal the CSRF token.


Log Hijacking
=============
The remote logging of the remedy system can be accessed by
unauthenticated users, allowing for an attacker to hijack the system
logs. This data can include usernames, as well as HTTP data, including
cookies.


Session Token Disclosure
========================
Some HTTP responses include the value of the session token, allowing a
javascript to bypass the httponly flag on the session cookie and steal it.


Authenticated Code Execution
===========================
Authenticated users that have the right to create reports, can use the
birt templating to gain code execution. Access to this functionality
appears to be granted to all users by default.



Vendor Response
===============
Remote and Local File Inclusion: vendor referred to a communities post
and existing CVEs; post claimed that the issue has been fixed in later
versions, however, testing confirms the vulnerability to still be
present; existing CVE misclassifies finding as a plain content
inclusion. We informed them of these issues; no response from vendor.

Internal Path Disclosure: vendor referred to a hotfix on their
communities page; however, this hotfix will not work. We informed them
of these issues; no response from vendor.

Cross-Site Scripting: vendor acknowledged vulnerability and stated plans
of fixing it.

Cross-Site Script Include: vendor acknowledged vulnerability and stated
that they are in the process of following up on it.

Log Hijacking: vendor acknowledged vulnerability and stated that access
to the offending service will be removed in later versions.

Session Token Disclosure: No response from vendor.

Authenticated Code Execution: No response from vendor.

--
Simon Rawet
Web Application Analyst
M: +46 708 474 323 | T: +46 455 612 323

Outpost24 - Vulnerability Management made easy
Outpost24 Sweden | Skeppsbrokajen 8 | 371 33, Karlskrona | Sweden


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    10 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close