BMC Track It 11.2
Attempting to reproduce a .NET Remoting vulnerability.
BMC Track It 11.2
Download BMC Track It 11.2 from CNET. http://download.cnet.com/BMC-Track-It/3000-18482_4-10003961.html?tag=bc
Disconnect your VM from the internet because you don't want to be vulnerable.
First we install it. After installation:
Low and behold we have something listening on port 9010 (on all interfaces).
PS C:\> netstat -an | findstr.exe "9010" TCP 0.0.0.0:9010 0.0.0.0:0 LISTENING PS C:\>
But now we have the problem of finding the module that is listening on port 9010.
For that we can use the
b switch for
netstat which needs an admin powershell window or command prompt.
PS C:\> netstat -ab Active Connections Proto Local Address Foreign Address State ... TCP 0.0.0.0:5357 x64-PC:0 LISTENING Can not obtain ownership information TCP 0.0.0.0:6712 x64-PC:0 LISTENING [TIHost.exe] TCP 0.0.0.0:9010 x64-PC:0 LISTENING [TIServiceManagement.exe] TCP 0.0.0.0:49176 x64-PC:0 LISTENING [sqlservr.exe] TCP 127.0.0.1:49176 x64-PC:49519 ESTABLISHED [sqlservr.exe] TCP 127.0.0.1:49519 x64-PC:49176 ESTABLISHED [TIServiceManagement.exe] ...
So we have two open ports
We can see that they are running as SYSTEM according to this screenshot from task manager.
And one is a service.
At this point we do not know what is running on port
5357 but if we telnet to it we will see some familiar response:
HTTP/1.1 400 Bad Request Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Wed, 28 Oct 2015 01:35:23 GMT Connection: close Content-Length: 326 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>Bad Request</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD> <BODY><h2>Bad Request - Invalid Verb</h2> <hr><p>HTTP Error 400. The request verb is invalid.</p> </BODY></HTML> Connection to host lost.
This is interesting, but not what we are looking for. Maybe we will come back to it later.
localhost:9010 with telnet or your browser and observe the error message which indicates that we are on the right track.
.NET..........System.Runtime.Remoting.RemotingException: Tcp channel protocol violation: expecting preamble. at System.Runtime.Remoting.Channels.Tcp.TcpSocketHandler.ReadAndMatchPreamble() at System.Runtime.Remoting.Channels.Tcp.TcpSocketHandler.ReadVersionAndOperation(UInt16& operation) at System.Runtime.Remoting.Channels.Tcp.TcpServerSocketHandler.ReadHeaders() at System.Runtime.Remoting.Channels.Tcp.TcpServerTransportSink.ServiceRequest(Object state) at System.Runtime.Remoting.Channels.SocketHandler.ProcessRequestNow() Connection to host lost.
C:\Program Files (x86)\BMC Software\Track-It!\Track-It! Services which contains the
TIServiceManagement.exe executable and look inside the config file
<appSettings> <add key="ConfigurationRemotingChannel" value="tcp" /> <add key="ConfigurationRemotingHost" value="x64-PC" /> <add key="ConfigurationRemotingPort" value="9010" /> <!--Remoting Services Manager--> <add key="RemotingServiceClass" value="TrackIt.Core.ServiceManagement.ServiceManagementImpl.ServiceManagementServer,TrackIt.Core.ServiceManagement.ServiceManagementImpl" /> <add key="RemotingServiceName" value="TIServiceManagement" /> <add key="RemotingServiceDisplayName" value="Track-It! Service Management" /> <add key="RemotingServiceDescription" value="Manages services instances deployed on this host." /> <add key="SystemHealth:SystemHealthConfiguration:TrackIt.Core.Configuration.MultisourceConfigurationImpl.DatabaseConfigurationSource" value="Database source" /> </appSettings>
Properties > Details for
TIServicemanagement.exe and we will see that the file description is
RemotingServicesManager as well as its original filename.
Here's the thing, we can open the file in dnSpy and poke around but let's cut the chase and look at the local traffic.
To capture local traffic [link to the capturing local traffic blog post] we will use RawCap. Run RawCap, start capturing on the pseudo loopback interface. Now start the application and login. The demo user does not have a password.
And we can see the contents (well the printable parts) by using
Follow TCP Stream.
We have seen the first request before (I have filtered out a lot of non-printable characters unless they are needed and we are going to talk about them).
.NET 3 tcp://x64-PC:9010/TrackIt.Core.ConfigurationService.
GetProductDeploymentValues TrackIt.Core.Configuration.IConfigurationSecureDelegator, TrackIt.Core.Configuration, Version=188.8.131.525, Culture=neutral, PublicKeyToken=null
As we have seen before [link to the first .NET remoting post] we can find the DLL and the object that is being called remotely.
Remote function: GetProductDeploymentValues Function class: TrackIt.Core.Configuration.IConfigurationSecureDelegator DLL: TrackIt.Core.Configuration
The application that called the remote object is
C:\Program Files (x86)\BMC Software\Track-It!\Track-It! Server\Installers\TechnicianClient\en\TechnicianClient_11_2_0_345\TechnicianClient.exe. The DLL is question is in the same address.
These look to be the list of all exposed functions.
GetFileContent looks nice.
Now we want to know when it is called. If we remember from .NET Remoting primers we know that an instance of this function will be created and sent over. Rightclick the function and select
Analyze and a panel appears. In the panel select
Used By. This shows every where in loaded binaries (executables and DLLs) that this function is used. In case it is in the same DLL (
TrackIt.Core.Configuration.dll) and the function is
TrackIt.Core.Configuration.ConfigurationInterceptor. GetProductDeploymentValues(). Pretty handy neh?
Let's put a breakpoint here and run
TechnicianClient.exe in dnSpy. Now if we want to see how we got here we can use
Debug (menu) > Show Call Stack. Isn't this nice?
Now if we step into three times, we will reach the familiar code base in
1 so the if statement will be true, now if we step until we after line 408 or
message = expr_14; (remember that breakpoints set here will not trigger). We can inspect the variable
message and see the method being called and its arguments if it had any (remember that
Alt+4 will open the
Great, now we have a decent idea of what is happening here with regards to .NET Remoting. If we go to the
C:\Program Files (x86)\BMC Software\Track-It!\Track-It! Services directory we will see the a similar set of DLLs (both caller and callee have a copy of methods). In this case the DLL is
We can use this DLL to create our own app that connects to the service and does stuff.