CVE-2016-6598
published 2018-01-30CVE-2016-6598: BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a…
PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.58%
97.0th percentile
BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bmc | track-it_! | <= 11.4 | — |
| bmc | track-it_! | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated inbound TCP connections to port 9010 on Track-It! servers; any connection from an unexpected source should be treated as suspicious exploitation of the unauthenticated .NET remoting FileStorageService. ↗
- →Detect .NET remoting RSA key exchange (Modulus/Exponent) followed by DES key negotiation on port 9010 without any credential exchange — this is the exploit's key-negotiation handshake pattern. ↗
- →Alert on new or modified files appearing under the Track-It! web root directory shortly after .NET remoting activity on port 9010, as the exploit uploads a file to an arbitrary path to achieve code execution. ↗
- →Look for processes spawned as NETWORK SERVICE or SYSTEM that are children of the Track-It! server process following file upload activity on port 9010, indicating successful code execution via the vulnerability. ↗
- ·Traffic on port 9010 is DES-encrypted after the RSA key exchange, meaning standard plaintext deep-packet inspection will not reveal method names or file payloads — detection must rely on behavioral/heuristic signals rather than payload content inspection. ↗
- ·The vulnerability affects Track-It! 11.4 versions prior to Hotfix 3; Track-It! 11.3 had related but distinct CVEs (CVE-2014-4872). Ensure version fingerprinting distinguishes between these when scoping detection rules. ↗
- ·The exploit imports Track-It! client DLL libraries directly to invoke remote methods, meaning the attack traffic may be indistinguishable from legitimate Track-It! client traffic at the protocol level. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/146110/BMC-Track-It-11.4-Code-Execution-Information-Disclosure.htmlhttp://seclists.org/fulldisclosure/2018/Jan/92https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2016/01/04/track-it-security-advisory-24-dec-2015https://github.com/pedrib/PoC/blob/master/advisories/bmc-track-it-11.4.txthttp://packetstormsecurity.com/files/146110/BMC-Track-It-11.4-Code-Execution-Information-Disclosure.htmlhttp://seclists.org/fulldisclosure/2018/Jan/92https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2016/01/04/track-it-security-advisory-24-dec-2015https://github.com/pedrib/PoC/blob/master/advisories/bmc-track-it-11.4.txt
2018-01-30
Published