CVE-2016-6599
published 2018-01-30CVE-2016-6599: BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.54%
95.7th percentile
BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bmc | track-it_! | <= 11.4 | — |
| bmc | track-it_! | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated .NET remoting connections on TCP port 9010 targeting the BMC Track-It! ConfigurationService; any connection that completes a key-exchange (RSA modulus/exponent exchange followed by DES key receipt) without subsequent credential presentation is indicative of exploitation. ↗
- →Detect the unauthenticated key-negotiation state machine: look for TCP sessions on port 9010 that transition through SendingPublicKey → SendingSharedKey → SendingEncryptedMessage without any authentication step, which is the exploit flow. ↗
- →Alert on invocation of the ConfigurationService remote method on port 9010 from non-Track-It! client hosts, as this method returns the encrypted database and domain administrator credentials. ↗
- ·Credentials in the retrieved configuration file are encrypted with a fixed DES key and IV of 'NumaraIT'; any attacker who obtains the encrypted blob can trivially decrypt it offline using this hardcoded key. ↗
- ·Domain administrator credentials are only exposed when the Self-Service (password reset) component is enabled, which is the most common enterprise deployment scenario — prioritise detection/patching on those instances. ↗
- ·Traffic on port 9010 will appear DES-encrypted after the key exchange, so payload-level inspection is not feasible without the session key; detection must rely on behavioural/connection-level analysis rather than content inspection. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/146110/BMC-Track-It-11.4-Code-Execution-Information-Disclosure.htmlhttp://seclists.org/fulldisclosure/2018/Jan/92https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2016/01/04/track-it-security-advisory-24-dec-2015https://github.com/pedrib/PoC/blob/master/advisories/bmc-track-it-11.4.txthttp://packetstormsecurity.com/files/146110/BMC-Track-It-11.4-Code-Execution-Information-Disclosure.htmlhttp://seclists.org/fulldisclosure/2018/Jan/92https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2016/01/04/track-it-security-advisory-24-dec-2015https://github.com/pedrib/PoC/blob/master/advisories/bmc-track-it-11.4.txt
2018-01-30
Published