CVE-2014-4872
published 2014-10-10CVE-2014-4872: BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or…
PriorityP276high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
80.09%
99.6th percentile
BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information via a .NET Remoting request to (1) FileStorageService or (2) ConfigurationService.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bmc | track-it_! | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
2e 4e 45 54 01 00 00 00 00 00
bytes↗
61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d
- →Detect unauthenticated .NET Remoting connections to TCP port 9010 (or 9004 for version 8); the .NET Remoting preamble starts with bytes 2E 4E 45 54 (`.NET`) which can be matched at the start of the TCP stream. ↗
- →Alert on HTTP GET requests to /TrackItWeb/Installers/ for .asp or .aspx files, which indicates the second stage of the file-upload exploit executing the dropped webshell. ↗
- →Monitor for .asp/.aspx files written under the Track-It! web root Installers directory (e.g. Track-It! Web\Web\Installers\) as this is the traversal target used by the exploit. ↗
- →Detect invocation of the ConfigurationService method GetProductDeploymentValues over TCP 9010 to identify credential-harvesting attempts; look for the ASCII string 'GetProductDeploymentValues' in TCP payloads on port 9010. ↗
- →Flag HTTP POST requests to /TrackItWeb/Grid/GetData containing SQL injection patterns (e.g. CREATE TABLE, row_number, double-dollar-sign delimiters) as exploitation of CVE-2014-4873. ↗
- →Alert on any inbound TCP connections to ports 9010–9020 from untrusted/external networks, as the vendor's own mitigation recommends blocking this range. ↗
- →Detect use of the hardcoded database credential 'TrackIt80_1' / 'TI_DB_P@ssw0rd' in SQL Server authentication logs, which indicates exploitation of the hardcoded credentials vulnerability. ↗
- →The DES encryption key/IV 'NumaraIT' (fixed) is used to encrypt credentials in the configuration file; presence of this string in memory or traffic analysis may indicate credential decryption activity. ↗
- ·The exploit targets versions 8 through 11.3+; version 8 uses TCP port 9004 instead of 9010 for the .NET Remoting service, so detection rules must cover both ports. ↗
- ·Domain administrator credential disclosure via ConfigurationService only succeeds if the Self-Service (password reset) component is enabled on the target. ↗
- ·Track-It! 11.4 added DES encryption to .NET Remoting traffic but did NOT add authentication; the encryption key exchange is unauthenticated, so the vulnerability persists in 11.4 under CVE-2016-6598. ↗
- ·The traversal path used to reach the web root differs by version (v9, v10, v11 each have distinct relative paths); detection/blocking rules should not assume a single fixed path. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BMC Track-It! 11.4 - Multiple Vulnerabilities
exploitdb·2015-09-28·CVSS 7.5
CVE-2016-6599 [HIGH] BMC Track-It! 11.4 - Multiple Vulnerabilities
BMC Track-It! 11.4 - Multiple Vulnerabilities
---
>> Multiple critical vulnerabilities in BMC Track-It! 11.4
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 04/07/2016 / Last updated: 01/01/2017
>> Background and summary
BMC Track-It! exposes several .NET remoting services on port 9010. .NET remoting is a remote method technology similar to Java RMI or CORBA which allows you to invoke methods remotely and retrieve their result.
These remote methods are used when a technician uses the Track-It! client console to communicate with the central Track-It! server. A technician would invoke these methods for obtaining tickets, creating a new ticket, uploading files to tickets, etc.
On October 2014, two 0 day vulnerabilities for Track-It! 11.3 were di
Exploit-DB
Numara / BMC Track-It! FileStorageService - Arbitrary File Upload (Metasploit)
exploitdb·2014-10-21
CVE-2014-4872 Numara / BMC Track-It! FileStorageService - Arbitrary File Upload (Metasploit)
Numara / BMC Track-It! FileStorageService - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Numara / BMC Track-It! FileStorageService Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It!
v8 to v11.X.
The application exposes the FileStorageService .NET remoting service on port 9010
(9004 for version 8) which accepts unauthenticated uploads. This can be abused by
a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary
code execution as NETWORK SERVICE or SYSTEM.
This module has been tested successfully on versions 11.3.0.3
Exploit-DB
BMC Track-It! - Multiple Vulnerabilities
exploitdb·2014-10-09
CVE-2014-4872 BMC Track-It! - Multiple Vulnerabilities
BMC Track-It! - Multiple Vulnerabilities
---
>> Multiple critical vulnerabilities in BMC Track-It!
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
The application exposes several .NET remoting services on port 9010.
.NET remoting is a RMI technology similar to Java RMI or CORBA which allows you to invoke methods remotely and retrieve their result. In BMC Track-It!, the .NET remoting services are unauthenticated and unencrypted, meaning that anyone can invoke all the exposed methods remotely.
It is possible to capture traffic and decode the packet format by looking at the (incomplete) Microsoft .NET remoting specifications. Using these techniques, two Metasploit modules were produced: one is an exploit module that can upload arbitrary files to the web root
Metasploit
BMC / Numara Track-It! Domain Administrator and SQL Server User Password Disclosure
metasploit
BMC / Numara Track-It! Domain Administrator and SQL Server User Password Disclosure
BMC / Numara Track-It! Domain Administrator and SQL Server User Password Disclosure
This module exploits an unauthenticated configuration retrieval .NET remoting service in Numara / BMC Track-It! v9 to v11.X, which can be abused to retrieve the Domain Administrator and the SQL server user credentials. This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107, 10.0.0.143 and 9.0.30.248.
Metasploit
Numara / BMC Track-It! FileStorageService Arbitrary File Upload
metasploit
Numara / BMC Track-It! FileStorageService Arbitrary File Upload
Numara / BMC Track-It! FileStorageService Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It! v8 to v11.X. The application exposes the FileStorageService .NET remoting service on port 9010 (9004 for version 8) which accepts unauthenticated uploads. This can be abused by a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary code execution as NETWORK SERVICE or SYSTEM. This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107, 10.0.0.143, 9.0.30.248 and 8.0.2.51.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/128594/BMC-Track-it-Remote-Code-Execution-SQL-Injection.htmlhttp://www.kb.cert.org/vuls/id/121036https://raw.githubusercontent.com/pedrib/PoC/master/generic/bmc-track-it-11.3.txthttp://packetstormsecurity.com/files/128594/BMC-Track-it-Remote-Code-Execution-SQL-Injection.htmlhttp://www.kb.cert.org/vuls/id/121036https://raw.githubusercontent.com/pedrib/PoC/master/generic/bmc-track-it-11.3.txt
2014-10-10
Published