CVE-2016-1542
published 2016-06-13CVE-2016-1542: The RPC API in RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass…
PriorityP274high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
74.62%
99.4th percentile
The RPC API in RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and enumerate users by sending an action packet to xmlrpc after an authorization failure.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bmc | bladelogic_server_automation_console | — | — |
| bmc | bladelogic_server_automation_console | — | — |
| bmc | bladelogic_server_automation_console | — | — |
| bmc | bladelogic_server_automation_console | — | — |
| bmc | bladelogic_server_automation_console | — | — |
| bmc | bladelogic_server_automation_console | — | — |
| bmc | bladelogic_server_automation_console | — | — |
| bmc | bladelogic_server_automation_console | — | — |
| bmc | bladelogic_server_automation_console | — | — |
| bmc | bladelogic_server_automation_console | — | — |
| bmc | bladelogic_server_automation_console | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x5e\x30\x30\x30\x30\x30\x30\x35\x36\x30\x30\x30\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x35\x3b\x38\x38\x30\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x35\x30\x3b\x30\x3b\x37\x3b
bytes↗
\x00\x00\x00\x5a\x30\x30\x30\x30\x30\x30\x35\x32\x30\x30\x30\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x31\x3b\x64\x61\x34\x3b\x64\x61\x34\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x31\x30\x3b\x30\x3b\x37\x3b
bytes↗
\x00\x00\x00\x32\x30\x30\x30\x30\x30\x30\x32\x61\x30\x30\x30\x30\x30\x30\x31\x30\x36\x34\x3b\x30\x3b\x32\x3b\x36\x66\x37\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x30\x32\x34\x31\x30\x30\x30\x30\x30\x30\x30\x30
- →Detect exploit initiation by monitoring for the literal string 'TLSRPC' or 'TLS' sent as the first bytes of a TCP connection to port 4750, followed by an SSL/TLS upgrade — this is the protocol handshake used by both exploit variants to initiate the RSCD agent session. ↗
- →Detect POST requests to the path '/xmlrpc' on port 4750 over a TLS-wrapped plain TCP socket (not standard HTTPS), which is the XMLRPC exploitation channel for CVE-2016-1542. ↗
- →Alert on inbound connections to TCP port 4750 from untrusted/external sources; the RSCD agent listens on this port and the authorization bypass is triggered by sending an action packet to xmlrpc after an authorization failure. ↗
- →Look for the fake agentinfo auth packet byte pattern (starting \x00\x00\x00\x5e) or the fake nexec auth packet (starting \x00\x00\x00\x5a) on port 4750 as indicators of active exploitation attempts. ↗
- →Monitor for XML-RPC payloads containing 'RemoteServer.intro' or 'RemoteExec.exec' method names sent to the RSCD agent, as these are the specific RPC calls used to authenticate and execute commands without authorization. ↗
- →The Metasploit module uses BadChars '\x00\x09\x0a' in payloads; monitor for binary command execution packets on port 4750 that contain the nexec finish sequence bytes (\x00\x00\x00\x22 prefix block). ↗
- ·The exploit upgrades the TCP connection to TLS using SSLv23 with VERIFY_NONE and ALL ciphers before sending any exploit packets; network inspection must perform TLS interception on port 4750 to inspect payload content. ↗
- ·Under Windows targets, non-PowerShell commands are automatically prefixed with 'cmd /c' by the exploit module, so process monitoring should account for both direct command execution and cmd.exe-spawned child processes. ↗
- ·The fake auth packets include 7 bytes of random alpha text (rand_text_alpha(7)) at two positions, meaning byte-for-byte signature matching of the full auth packet will miss exploit attempts; match only the fixed prefix portions. ↗
- ·The vulnerability affects BMC BSA versions 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX; Windows hosts are also targeted by the Metasploit module via the same RSCD agent port. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)
exploitdb·2018-02-01
CVE-2016-1543 BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)
BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'BMC Server Automation RSCD Agent NSH Remote ' \
'Command Execution',
'Description' => %q(
This module exploits a weak access control check in the BMC Server
Automation RSCD agent that allows arbitrary operating system commands
to be executed without authentication.
Note: Under Windows, non-powershell commands may need to be prefixed
with 'cmd /c'.
),
'Author' =>
[
'Olga Yanushkevich, ERNW ', # Vulnerability discovery
'Nicky Bloor (@NickstaDB) ' # RCE payload and Metasploit module
],
'References' =>
[
['URL', 'https://insinuator.net/2016/03/bmc-blade
Exploit-DB
BMC BladeLogic 8.3.00.64 - Remote Command Execution
exploitdb·2018-01-26·CVSS 7.5
CVE-2016-1543 [HIGH] BMC BladeLogic 8.3.00.64 - Remote Command Execution
BMC BladeLogic 8.3.00.64 - Remote Command Execution
---
# Exploit Title: BMC BladeLogic RSCD agent remote exec - XMLRPC version
# Filename: BMC_rexec.py
# Github: https://github.com/bao7uo/bmc_bladelogic
# Date: 2018-01-24
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Version: BMC RSCD agent 8.3.00.64
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)
# Vendor Advisory: https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-critical-security-issue-in-bmc-server-automation-cve-2016-1542-cve-2016-1543
# Tested on: 8.3.00.64
#!/usr/bin/python
# BMC BladeLogic RSCD agent remote exec - XMLRPC version
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)
# By Paul Taylor / Fore
Metasploit
BMC Server Automation RSCD Agent NSH Remote
metasploit
BMC Server Automation RSCD Agent NSH Remote
BMC Server Automation RSCD Agent NSH Remote
This module exploits a weak access control check in the BMC Server Automation RSCD agent that allows arbitrary operating system commands to be executed without authentication. Note: Under Windows, non-powershell commands may need to be prefixed with 'cmd /c'.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/136461/BMC-Server-Automation-BSA-RSCD-Agent-User-Enumeration.htmlhttp://www.securityfocus.com/archive/1/537909/100/0/threadedhttps://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000dBpnCAE&type=Solutionhttps://www.exploit-db.com/exploits/43902/https://www.exploit-db.com/exploits/43939/https://www.insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/http://packetstormsecurity.com/files/136461/BMC-Server-Automation-BSA-RSCD-Agent-User-Enumeration.htmlhttp://www.securityfocus.com/archive/1/537909/100/0/threadedhttps://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000dBpnCAE&type=Solutionhttps://www.exploit-db.com/exploits/43902/https://www.exploit-db.com/exploits/43939/https://www.insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/
2016-06-13
Published