CVE-2016-6598 : BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on

BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM.

Published 2018-01-30 20:29:00

Updated 2018-02-26 19:39:04

Source MITRE

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2016-6598

Probability of exploitation activity in the next 30 days: 1.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 82 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-6598

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-6598

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-6598

http://seclists.org/fulldisclosure/2018/Jan/92

Full Disclosure: [CVE-2016-6598/9]: RCE and admin cred disclosure in BMC Track-It! 11.4
Exploit;Mailing List;Technical Description;Third Party Advisory

CVEs referencing this url
https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2016/01/04/track-it-security-advisory-24-dec-2015

Track-It!: Track-It! Security Advisory [24-Dec-... | BMC Communities
Vendor Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/146110/BMC-Track-It-11.4-Code-Execution-Information-Disclosure.html

BMC Track-It! 11.4 Code Execution / Information Disclosure ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

CVEs referencing this url
https://github.com/pedrib/PoC/blob/master/advisories/bmc-track-it-11.4.txt

PoC/bmc-track-it-11.4.txt at master · pedrib/PoC · GitHub
Exploit;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2016-6598

BMC » Track-it!
Versions up to, including, (<=) 11.4
cpe:2.3:a:bmc:track-it\!:*:*:*:*:*:*:*:*
Matching versions
BMC » Track-it! » Version: 11.4 Update HF1
cpe:2.3:a:bmc:track-it\!:11.4:hf1:*:*:*:*:*:*
Matching versions
BMC » Track-it! » Version: 11.4 Update HF2
cpe:2.3:a:bmc:track-it\!:11.4:hf2:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-6598

Exploit prediction scoring system (EPSS) score for CVE-2016-6598

CVSS scores for CVE-2016-6598

CWE ids for CVE-2016-6598

References for CVE-2016-6598

Products affected by CVE-2016-6598