Happy new year! I was doing some new year cleaning and realised I never released this advisory properly. Two vulnerabilities in BMC Track-It! 11.4 which were disclosed by SecuriTeam Secure Disclosure on July 2016. Posting here because I've seen quite a few of these still in active use, live and deployed in corporate networks. The exploit is available in my repo at [3]. It's also interesting to see how they completely ignored my advice, but I'm used to that. Here it is in full glory for your reading pleasure. This advisory and exploit can also be fetched at my github repo (https://github.com/pedrib/PoC) and in the SSD blog at https://blogs.securiteam.com/index.php/archives/2713. A big thanks to SecuriTeam for helping out as always. >> Multiple critical vulnerabilities in BMC Track-It! 11.4 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security ============================================================ ===================== Disclosure: 04/07/2016 / Last updated: 01/01/2017 >> Background and summary BMC Track-It! exposes several .NET remoting services on port 9010. .NET remoting is a remote method technology similar to Java RMI or CORBA which allows you to invoke methods remotely and retrieve their result. These remote methods are used when a technician uses the Track-It! client console to communicate with the central Track-It! server. A technician would invoke these methods for obtaining tickets, creating a new ticket, uploading files to tickets, etc. On October 2014, two 0 day vulnerabilities for Track-It! 11.3 were disclosed (under CVE-2014-4872, see [1]). The vulnerabilities were due to the Track-It! server accepting remote method invocations without any kind of authentication or encryption. The vulnerabilities were very severe: one allowed an attacker to execute code on the server as NETWORK SERVICE or SYSTEM, while the other would allow an attacker to obtain the domain administrator and SQL server passwords if the Track-It! server had password reset turned on. These vulnerabilities were discovered in a trivial manner - simply by turning Wireshark on and observing the packets one could see the remote method invocations and objects being passed around. Duplicate and even triplicate packets would not be rejected by the server, which would execute whatever action was requested in the packet. Disclosure was done by the US-CERT, which attempted to contact BMC but received no response after 45 days. After this period they released the vulnerability information and I released two Metasploit exploits. BMC contacted me asking for advice on how to fix the issues, to which I responded: "For #1 [file upload] and #2 [domain admin pass disclosure] the fix is to implement authentication and authorisation. There is no other way to fix it. [...] Make sure the auth is done properly. You will have to negotiate some kind of session key using the user's credential at the start and use that session key for encryption going forward. Do not use a fixed key, as this can be reverse engineered. If you don't implement such mechanism, it's just a question of time before someone else breaks your protection and finds new vulnerabilities." On December 9th 2014, BMC released Track-It! 11.4 [2], which they claimed had fixed the security vulnerabilities. At first glance, this seemed to be true. Traffic in Wireshark did seem to be encrypted. However upon further inspection, it became obvious that while the actual method invocation and its arguments were being encrypted using a DES key, there was still no authentication being done. What this means in practice is that anyone can negotiate a new encryption key with the server and use that from then on to invoke remote methods without ever authenticating to the server, even for the initial encryption key exchange. The code can be inspected by decompiling TrackIt.Utility.Common.dll. The interesting part is in: namespace TrackIt.Utility.Common.Remoting { internal enum SecureTransaction { Uninitialized, SendingPublicKey, SendingSharedKey, SendingEncryptedMessage, SendingEncryptedResult, UnknownIdentifier, UnauthenticatedClient } } This represents the state machine that the server uses to track client requests. The initial state is UnauthenticatedClient for any unknown client. A typical communication would be as follows: 1- Client generates a RSA key, which it shares with the server by sending a Modulus and an Exponent. 2- Server creates a DES key and sends that key back to the client 3- Client and server now share an encryption key; that key is used to pass back messages back and forth (states SendingEncryptedMessage and SendingEncryptedResult). As it is evident, at no point there is any authentication or credentials being passed from the client to the server. So while all traffic is encrypted, anyone can negotiate an encryption key with the server and invoke any remote method. >From here on, building an exploit is trivial. All that is needed is to import the library DLL's from the Track-It! client application and invoke the methods in the code. A special thanks to SecuriTeam Secure Disclosure (SSD), which have assisted me in disclosing this vulnerability to BMC. Their advisory can be found at https://blogs.securiteam.com/index.php/archives/2713. Exploit code for this vulnerability has been released, and can be found in the same github repository as this advisory [3]. >> Technical details: #1 Vulnerability: Remote code execution via file upload CVE-2016-6598 Attack Vector: Remote Constraints: None; exploitable by an unauthenticated attacker Affected versions: 11.4 (versions <= 11.3 are affected by CVE-2014-4872, which is very similar) The application exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM. #2 Vulnerability: Domain administrator and SQL server user credentials disclosure CVE-2016-6599 Attack Vector: Remote Constraints: None; exploitable by an unauthenticated attacker Affected versions: 11.4 (versions <= 11.3 are affected by CVE-2014-4872, which is very similar) The application exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments. >> Fix: Upgrade to BMC Track-It! 11.5 or above. >> References: [1] https://raw.githubusercontent.com/pedrib/PoC/master/ advisories/bmc-track-it-11.3.txt [2] https://communities.bmc.com/community/bmcdn/bmc_track-it/ blog/2014/12/09/track-it-114-is-now-available [3] https://github.com/pedrib/PoC/tree/master/exploits/TrackPwn ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ >> Enabling secure digital business >> =============================== EXPLOIT (TrackPwn.sln): Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 2013 VisualStudioVersion = 12.0.30723.0 MinimumVisualStudioVersion = 10.0.40219.1 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TrackPwn", "TrackPwn\TrackPwn.csproj", "{2F2EABA8-CEBD-47D9-9858-E616039AA5A7}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU Debug|x86 = Debug|x86 Release|Any CPU = Release|Any CPU Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {2F2EABA8-CEBD-47D9-9858-E616039AA5A7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {2F2EABA8-CEBD-47D9-9858-E616039AA5A7}.Debug|Any CPU.Build.0 = Debug|Any CPU {2F2EABA8-CEBD-47D9-9858-E616039AA5A7}.Debug|x86.ActiveCfg = Debug|x86 {2F2EABA8-CEBD-47D9-9858-E616039AA5A7}.Debug|x86.Build.0 = Debug|x86 {2F2EABA8-CEBD-47D9-9858-E616039AA5A7}.Release|Any CPU.ActiveCfg = Release|Any CPU {2F2EABA8-CEBD-47D9-9858-E616039AA5A7}.Release|Any CPU.Build.0 = Release|Any CPU {2F2EABA8-CEBD-47D9-9858-E616039AA5A7}.Release|x86.ActiveCfg = Release|x86 {2F2EABA8-CEBD-47D9-9858-E616039AA5A7}.Release|x86.Build.0 = Release|x86 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection EndGlobal =============================== ORIGINAL README FOR EXPLOIT: Exploit for CVE-2016-6598 and CVE-2016-6599 =========================================== >> Building: Use Visual Studio 2013 to build the exploit. Two things to have in mind: 1- Build for the x86 configuration 2- The following files from Track-It! 11.4 need to be put under the \lib\ directory (where ROOT is the directory where the this and the solution file are): DevExpress.Data.v14.1.dll DevExpress.Xpo.v14.1.dll Iesi.Collections.dll Interop.TrackItBiz110.dll Ionic.Zip.dll NHibernate.dll TrackIt.Core.BOM.dll TrackIt.Core.Configuration.dll TrackIt.Core.Configuration.MultisourceConfigurationImpl.dll TrackIt.Core.Credential.dll TrackIt.Core.DataAccess.dll TrackIt.Core.FileStorage.dll TrackIt.Core.FileStorage.FileStorageImpl.dll TrackIt.Core.Licensing.dll TrackIt.Core.Localization.dll TrackIt.Core.Metadata.dll TrackIt.Core.ResourceManagement.dll TrackIt.Core.Security.dll TrackIt.Deployment.Common.dll TrackIt.Framework.Component.dll TrackIt.Framework.ErrorHandling.dll TrackIt.Utility.CodeGeneration.dll TrackIt.Utility.Common.dll TrackIt.Utility.Encryption.dll TrackIt.Utility.Filter.dll Pedro Ribeiro Founder and Director of Research pedrib@agileinfosec.co.uk / pedrib@gmail.com ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ >> Enabling secure digital business >>