SSD Advisory – BMC Track-It Arbitrary File Upload and Information Disclosure

Vulnerability Description
BMC Track-It! 11.4 contains an arbitrary file upload vulnerability and an information disclosure vulnerability which can be exploited by an unauthenticated user. The file upload vulnerability can be used to upload a file to the web root and execute code under the IIS user. The information disclosure vulnerability allows you to obtain the SQL database and the domain administrator credentials (username and password).

In October 2014 Pedro Riberio released two 0 day vulnerabilities (under CVE-2014-4872) for Track-It! 11.3. These abused the fact that you could upload arbitrary files and obtain the domain administrator password by simply querying the Track-It! server over the .NET remoting protocol without any authentication. Disclosure was done by the US-CERT, which attempted to contact BMC but received no response after 45 days. After this period they released the vulnerability information and I released two Metasploit exploits.
BMC contacted Pedro asking for his advice on how to fix the issues, to which Pedro responded:

“For #1 [file upload] and #2 [domain admin pass disclosure] the fix is to implement authentication and authorization. There is no other way to fix it.
[…]
Make sure the auth is done properly. You will have to negotiate some kind of session key using the user’s credential at the start and use that session key for encryption going forward. Do not use a fixed key, as this can be reverse engineered.
If you don’t implement such mechanism, it’s just a question of time before someone else breaks your protection and finds new vulnerabilities.”

BMC then released version 11.4 in which they claimed to have fixed the issues. Well… turns out they didn’t really take Pedro’s advice on board. They did add encryption to the messages which are sent between the client and the server, but they did not add any authentication. This means that any user can negotiate an encryption key with the server and then execute any action without authentication. So while the exploits Pedro has released for CVE-2014-4872 do not work, a new exploit has been written that bypasses their “protection”. This is a new vulnerability which is unique to Track-It! 11.4, and the new exploit code does not work on Track-It! 11.3 and below.
Usage
These vulnerabilities are exploited via .NET remoting. The exploit code leverages their own libraries to access two services: ConfigurationService, which contains the credential data; and FileStorageService, which allows uploading a file to anywhere in the file system.
To upload a file to the web root:
TrackPwn.exe UploadFile 192.168.56.101:9010 C:\shell.aspx
To obtain the SQL and domain admin credentials:
TrackPwn.exe GetPasswords 192.168.56.101:9010 C:\output.txt
The SQL database password can always be obtained, but the domain credentials can only be extracted if Track-It! has been configured to remotely manage other computers. This facility can be set up in the Track-It! server by logging in as an administrator and going to Configuration->Auditing->Setup Credentials.
The code is self explanatory – please let me know if you need a walkthrough or a more thorough explanation. More detailed information about the protocol is included in NOTES. Please refer also to my previous advisory for CVE-2014-4872 [1].
Building
Use Visual Studio 2013 to build the exploit. Two things to have in mind:
1- Build for the x86 configuration
2- The following files from Track-It! 11.4 need to be put under the <ROOT>\lib\ directory (where ROOT is the directory where the this and the solution file are):
DevExpress.Data.v14.1.dll
DevExpress.Xpo.v14.1.dll
Iesi.Collections.dll
Interop.TrackItBiz110.dll
Ionic.Zip.dll
NHibernate.dll
TrackIt.Core.BOM.dll
TrackIt.Core.Configuration.dll
TrackIt.Core.Configuration.MultisourceConfigurationImpl.dll
TrackIt.Core.Credential.dll
TrackIt.Core.DataAccess.dll
TrackIt.Core.FileStorage.dll
TrackIt.Core.FileStorage.FileStorageImpl.dll
TrackIt.Core.Licensing.dll
TrackIt.Core.Localization.dll
TrackIt.Core.Metadata.dll
TrackIt.Core.ResourceManagement.dll
TrackIt.Core.Security.dll
TrackIt.Deployment.Common.dll
TrackIt.Framework.Component.dll
TrackIt.Framework.ErrorHandling.dll
TrackIt.Utility.CodeGeneration.dll
TrackIt.Utility.Common.dll
TrackIt.Utility.Encryption.dll
TrackIt.Utility.Filter.dll
The complete package and files can be obtained by contacting ssd[]beyondsecurity.com.
Vendor Response
BMC has issued a patch and an advisory, https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2016/01/04/track-it-security-advisory-24-dec-2015, to address these two issues.