cbcvebase.
CVE-2016-6599
published 2018-01-30

CVE-2016-6599: BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.54%
95.7th percentile
BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments.

Affected

2 ranges
VendorProductVersion rangeFixed in
bmctrack-it_!<= 11.4
bmctrack-it_!

Detection & IOCsextracted from sources · hover to see the quote

port9010
filenameTrackIt.Utility.Common.dll
  • Monitor for unauthenticated .NET remoting connections on TCP port 9010 targeting the BMC Track-It! ConfigurationService; any connection that completes a key-exchange (RSA modulus/exponent exchange followed by DES key receipt) without subsequent credential presentation is indicative of exploitation.
  • Detect the unauthenticated key-negotiation state machine: look for TCP sessions on port 9010 that transition through SendingPublicKey → SendingSharedKey → SendingEncryptedMessage without any authentication step, which is the exploit flow.
  • Alert on invocation of the ConfigurationService remote method on port 9010 from non-Track-It! client hosts, as this method returns the encrypted database and domain administrator credentials.
  • ·Credentials in the retrieved configuration file are encrypted with a fixed DES key and IV of 'NumaraIT'; any attacker who obtains the encrypted blob can trivially decrypt it offline using this hardcoded key.
  • ·Domain administrator credentials are only exposed when the Self-Service (password reset) component is enabled, which is the most common enterprise deployment scenario — prioritise detection/patching on those instances.
  • ·Traffic on port 9010 will appear DES-encrypted after the key exchange, so payload-level inspection is not feasible without the session key; detection must rely on behavioural/connection-level analysis rather than content inspection.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.