BMC Track-it! Remote Code Execution / SQL Injection

`Hi,  
  
tl;dr - I am releasing two 0 day exploits for BMC Track-It!. One is a  
RCE and the other gets you the domain admin and SQL database creds.  
Other minor vulns are also disclosed. Details below.  
  
CERT handled the disclosure for these vulnerabilities (see CERT  
VU#121036) and according to them BMC didn't even acknowledge the issue  
for 45 days.  
  
BMC have contacted me directly today, but it's too late now, the cat  
is out of the bag as the CERT advisory has been published. Any  
vulnerability researcher worth their salt will be able to work out how  
to exploit these issues, so there is no point in holding back on  
releasing the exploits.  
  
The exploits have been submitted to Metasploit and should be released soon, see:  
https://github.com/rapid7/metasploit-framework/pull/3965  
https://github.com/rapid7/metasploit-framework/pull/3966  
  
>> Multiple critical vulnerabilities in BMC Track-It!  
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security  
=================================================================================  
  
The application exposes several .NET remoting services on port 9010.  
.NET remoting is a RMI technology similar to Java RMI or CORBA which  
allows you to invoke methods remotely and retrieve their result. In  
BMC Track-It!, the .NET remoting services are unauthenticated and  
unencrypted, meaning that anyone can invoke all the exposed methods  
remotely.  
  
It is possible to capture traffic and decode the packet format by  
looking at the (incomplete) Microsoft .NET remoting specifications.  
Using these techniques, two Metasploit modules were produced: one is a  
exploit module that can upload arbitrary files to the web root and  
achieve remote code execution, and the other is an auxiliary module  
that allows retrieval of the SQL and domain administrator credentials.  
  
Three other vulnerabilities (SQL injection, arbitrary file download  
and hardcoded database credentials) were also discovered.  
  
A special thanks to CERT for handling the communication to BMC and the  
disclosure of these vulnerabilities. These issues are tracked by CERT  
as VU#121036 (http://www.kb.cert.org/vuls/id/121036).  
  
  
>> Background on the affected product:  
"Track-It! IT Help Desk Software includes everything you need for IT  
Help Desk management. Full featured, easy to deploy, easy to use and  
cost-effective, Track-It! Help Desk is designed specifically with the  
needs of small to mid-sized organizations in mind.  
Over 55,000 organizations worldwide have trusted Track-It! for their  
IT help desk ticketing and asset management needs. Track-It! IT Help  
Desk Software includes, helpdesk, work order ticket tracking, incident  
and problem management, knowledge management, service level  
management, asset management, change management, software license  
management, mobile device access, end-user self-service and more.  
Track-It! Help Desk delivers the strength of ITSM best practices with  
the simplicity of smooth installation and quick configuration to  
provide instant return on your investment."  
  
  
>> Technical details:  
#1 Domain administrator and SQL server user credentials disclosure  
(unauthenticated)  
Versions affected: 9 to 11.3+ (version 8 might be affected, but could  
not be confirmed)  
CVE-2014-4872  
  
The application exposes an unauthenticated .NET remoting configuration  
service (ConfigurationService) on port 9010.  
This service contains a method that can be used to retrieve a  
configuration file that contains the application database name,  
username and password as well as the domain administrator username and  
password. These are encrypted using a fixed key and IV ("NumaraIT")  
using the DES algorithm. The domain administrator username and  
password can only be obtained if the Self-Service component is  
enabled, which is the most common scenario in enterprise deployments.  
A Metasploit module that exploits this vulnerability has been released.  
  
  
#2 Remote code execution via file upload (unauthenticated)  
Versions affected: 8 to 11.3+  
CVE-2014-4872 (same as #1)  
  
The application exposes an unauthenticated .NET remoting file storage  
service (FileStorageService) on port 9010.  
This service contains a method that allows uploading a file to an  
arbitrary path on the machine that is running Track-It!. This can be  
used to upload a file to the web root and achieve code execution as  
NETWORK SERVICE or SYSTEM.  
A Metasploit module that exploits this vulnerability has been released.  
  
  
#3 Blind SQL injection (authenticated)  
Versions affected: Unknown, at least 11.3  
CVE-2014-4873  
  
POST /TrackItWeb/Grid/GetData  
pagingMode=0&id=WebGrid.21&appFilters=[{"type":"numeric","field":"userid  
= 51)) blag; $CREATE TABLE lol(lulz text);$ select woid from (select  
woid, row_number() over (ORDER BY woid) RowNumber from z$vTASKS_BROWSE  
-- ","comparison":"=","value":51}]  
  
Accepts injection between the two $.  
  
  
#4 Arbitrary file download (authenticated)  
Versions affected: Unknown, at least 11.3  
CVE-2014-4874  
  
GET /TrackItWeb/Attachment/Open?attachmentType=1&entityId=1337&entityGuid=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa&fileName=C:\boot.ini  
  
  
#5 Hardcoded database credentials  
Versions affected: Unknown, at least from 8 to 11.3+  
  
When installed with the built-in SQL Express, Track-It! uses the  
following hardcoded database credentials:  
Username: TrackIt80_1  
Password: TI_DB_P@ssw0rd  
  
  
>> Fix:  
UNFIXED - the vendor refused to acknowledge the vulnerabilities and  
did not respond to CERT.  
Block all communications from untrusted networks (e.g. the Internet)  
to ports 9010 to 9020.  
Block the database port if you are using the built in SQL Express  
(port 49159 is the default in recent versions).  
Ensure you do not have any untrusted users with access to Track-It!.  
  
  
A copy of this advisory can be found in my repo:  
https://raw.githubusercontent.com/pedrib/PoC/master/generic/bmc-track-it-11.3.txt  
  
Regards,  
Pedro  
`