CVE-2014-4872
BMC Track-It! 11.3.0.355 - Unauthenticated Remote Code Execution via .NET Remoting
Title source: llmExploitation Summary
EIP tracks 4 public exploits for CVE-2014-4872.
PoCs published by Metasploit, Pedro Ribeiro, including Metasploit module auxiliary/gather/trackit_sql_domain_creds.
AI-analyzed exploit summary This Metasploit module exploits an arbitrary file upload vulnerability in Numara/BMC Track-It! by leveraging an unauthenticated .NET remoting service to upload ASP/ASPX files to the web root, achieving remote code execution as NETWORK SERVICE or SYSTEM.
Description
BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information via a .NET Remoting request to (1) FileStorageService or (2) ConfigurationService.
Exploits (4)
This Metasploit module exploits an arbitrary file upload vulnerability in Numara/BMC Track-It! by leveraging an unauthenticated .NET remoting service to upload ASP/ASPX files to the web root, achieving remote code execution as NETWORK SERVICE or SYSTEM.
The document describes multiple vulnerabilities in BMC Track-It!, including unauthenticated .NET remoting services exposing credentials and file upload capabilities, leading to remote code execution and information disclosure. It also mentions SQL injection, arbitrary file download, and hardcoded database credentials.
This Metasploit module exploits an unauthenticated .NET remoting service in BMC/Numara Track-It! to retrieve Domain Administrator and SQL server credentials. It crafts a malicious packet to query the ConfigurationService and extracts sensitive data from the response.
This Metasploit module exploits an arbitrary file upload vulnerability in Numara/BMC Track-It! versions 8 to 11.X via an unauthenticated .NET remoting service on port 9010 (or 9004 for v8). It uploads an ASP/ASPX payload to achieve remote code execution as NETWORK SERVICE or SYSTEM.