cbcvebase.
CVE-2016-6598
published 2018-01-30

CVE-2016-6598: BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a…

PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.58%
97.0th percentile
BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM.

Affected

2 ranges
VendorProductVersion rangeFixed in
bmctrack-it_!<= 11.4
bmctrack-it_!

Detection & IOCsextracted from sources · hover to see the quote

port9010
urlhttps://github.com/pedrib/PoC/tree/master/exploits/TrackPwn
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43883.zip
filenameTrackIt.Utility.Common.dll
  • Monitor for unauthenticated inbound TCP connections to port 9010 on Track-It! servers; any connection from an unexpected source should be treated as suspicious exploitation of the unauthenticated .NET remoting FileStorageService.
  • Detect .NET remoting RSA key exchange (Modulus/Exponent) followed by DES key negotiation on port 9010 without any credential exchange — this is the exploit's key-negotiation handshake pattern.
  • Alert on new or modified files appearing under the Track-It! web root directory shortly after .NET remoting activity on port 9010, as the exploit uploads a file to an arbitrary path to achieve code execution.
  • Look for processes spawned as NETWORK SERVICE or SYSTEM that are children of the Track-It! server process following file upload activity on port 9010, indicating successful code execution via the vulnerability.
  • ·Traffic on port 9010 is DES-encrypted after the RSA key exchange, meaning standard plaintext deep-packet inspection will not reveal method names or file payloads — detection must rely on behavioral/heuristic signals rather than payload content inspection.
  • ·The vulnerability affects Track-It! 11.4 versions prior to Hotfix 3; Track-It! 11.3 had related but distinct CVEs (CVE-2014-4872). Ensure version fingerprinting distinguishes between these when scoping detection rules.
  • ·The exploit imports Track-It! client DLL libraries directly to invoke remote methods, meaning the attack traffic may be indistinguishable from legitimate Track-It! client traffic at the protocol level.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.