module
Numara / BMC Track-It! FileStorageService Arbitrary File Upload
| Disclosed | Created |
|---|---|
| 2014-10-07 | 2018-05-30 |
Disclosed
2014-10-07
Created
2018-05-30
Description
This module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It!
v8 to v11.X.
The application exposes the FileStorageService .NET remoting service on port 9010
(9004 for version 8) which accepts unauthenticated uploads. This can be abused by
a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary
code execution as NETWORK SERVICE or SYSTEM.
This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107,
10.0.0.143, 9.0.30.248 and 8.0.2.51.
v8 to v11.X.
The application exposes the FileStorageService .NET remoting service on port 9010
(9004 for version 8) which accepts unauthenticated uploads. This can be abused by
a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary
code execution as NETWORK SERVICE or SYSTEM.
This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107,
10.0.0.143, 9.0.30.248 and 8.0.2.51.
Author
Pedro Ribeiro pedrib@gmail.com
Platform
Windows
Architectures
x86
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.