CVE-2016-6599
CVE-2016-6599
BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments.
Affected products
n/a · n/apublic PoCs found — 2
cve_referencepacketstormsecurity.com/files/146110/BMC-Track-It-11.4-Code-Execution-Information-Disclosure.htmlunverifiedexploitdbwww.exploit-db.com/exploits/43883unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/146110/BMC-Track-It-11.4-Code-Execution-Information-Disclosure.htmlhttps://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2016/01/04/track-it-security-advisory-24-dec-2015http://seclists.org/fulldisclosure/2018/Jan/92https://github.com/pedrib/PoC/blob/master/advisories/bmc-track-it-11.4.txt