cbcvebase.
CVE-2014-4872
published 2014-10-10

CVE-2014-4872: BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or…

PriorityP276high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
80.09%
99.6th percentile
BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information via a .NET Remoting request to (1) FileStorageService or (2) ConfigurationService.

Affected

1 ranges
VendorProductVersion rangeFixed in
bmctrack-it_!

Detection & IOCsextracted from sources · hover to see the quote

port9010/tcp
port9004/tcp
path/TrackItWeb/
path/TrackItWeb/Installers/
path/TrackItWeb/Grid/GetData
path/TrackItWeb/Attachment/Open
otherTcp channel protocol violation: expecting preamble
otherTrackIt.Core.ConfigurationService
otherGetProductDeploymentValues
bytes
2e 4e 45 54 01 00 00 00 00 00
bytes
61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d
  • Detect unauthenticated .NET Remoting connections to TCP port 9010 (or 9004 for version 8); the .NET Remoting preamble starts with bytes 2E 4E 45 54 (`.NET`) which can be matched at the start of the TCP stream.
  • Alert on HTTP GET requests to /TrackItWeb/Installers/ for .asp or .aspx files, which indicates the second stage of the file-upload exploit executing the dropped webshell.
  • Monitor for .asp/.aspx files written under the Track-It! web root Installers directory (e.g. Track-It! Web\Web\Installers\) as this is the traversal target used by the exploit.
  • Detect invocation of the ConfigurationService method GetProductDeploymentValues over TCP 9010 to identify credential-harvesting attempts; look for the ASCII string 'GetProductDeploymentValues' in TCP payloads on port 9010.
  • Flag HTTP POST requests to /TrackItWeb/Grid/GetData containing SQL injection patterns (e.g. CREATE TABLE, row_number, double-dollar-sign delimiters) as exploitation of CVE-2014-4873.
  • Alert on any inbound TCP connections to ports 9010–9020 from untrusted/external networks, as the vendor's own mitigation recommends blocking this range.
  • Detect use of the hardcoded database credential 'TrackIt80_1' / 'TI_DB_P@ssw0rd' in SQL Server authentication logs, which indicates exploitation of the hardcoded credentials vulnerability.
  • The DES encryption key/IV 'NumaraIT' (fixed) is used to encrypt credentials in the configuration file; presence of this string in memory or traffic analysis may indicate credential decryption activity.
  • ·The exploit targets versions 8 through 11.3+; version 8 uses TCP port 9004 instead of 9010 for the .NET Remoting service, so detection rules must cover both ports.
  • ·Domain administrator credential disclosure via ConfigurationService only succeeds if the Self-Service (password reset) component is enabled on the target.
  • ·Track-It! 11.4 added DES encryption to .NET Remoting traffic but did NOT add authentication; the encryption key exchange is unauthenticated, so the vulnerability persists in 11.4 under CVE-2016-6598.
  • ·The traversal path used to reach the web root differs by version (v9, v10, v11 each have distinct relative paths); detection/blocking rules should not assume a single fixed path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.