Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-1542 PoC — BMC Software BladeLogic Server Automation Suite RSCD Agent 安全漏洞

Source
https://github.com/bao7uo/bmc_bladelogic
Associated Vulnerability
Title:BMC Software BladeLogic Server Automation Suite RSCD Agent 安全漏洞 (CVE-2016-1542)
Description:BMC BladeLogic Server Automation(BSA)是美国BMC Software公司的一套用于服务器自动化管理、控制和配置的解决方案。该方案支持所有操作系统以及虚拟化和云计算平台自动安装、配置操作系统等。 基于Linux和UNIX平台的BMC BSA的RSCD代理中的RPC API存在安全漏洞。远程攻击者可通过在身份验证失败后向xmlrpc发送action数据包利用该漏洞绕过身份验证,枚举用户。以下版本受到影响:BMC BSA 8.2.x版本,8.3.x版本,8.5.x版本,8.6
Description
BMC Bladelogic RSCD exploits including remote code execution - CVE-2016-1542, CVE-2016-1543, CVE-2016-5063
Readme
# BMC Bladelogic RSCD remote exploits for Linux and Windows
## Change passwords, List users and Remote code execution
Exploiting vulnerabilities in BMC BladeLogic RSCD agent
- CVE-2016-1542 (BMC-2015-0010)
- CVE-2016-1543 (BMC-2015-0011)
- CVE-2016-5063

## Published on exploit-db
- BMC_rexec.py
    - https://www.exploit-db.com/exploits/43902/
- BMC_winUsers.py
    - https://www.exploit-db.com/exploits/43934/

## BMC_rexec.py Overview

This method of remote execution was achieved by doing my own research - it is performed using XMLRPC and has only been tested against Windows. The script will hang, but the command should execute.

![rexec poc](images/BMC_rexec.png)

Nick Bloor has a much better execution exploit using a different technique:
- https://github.com/NickstaDB/PoC/tree/master/BMC_RSCD_RCE
- https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/
- https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/
- https://www.tenable.com/plugins/index.php?view=single&id=91947

## BMC_winUsers.py Overview

After some research I was able to pull Windows users from the Windows BMC agent over XML RPC, so I adapted the getUsers file from ernw/insinuator to make a Windows version (see the following screenshot). I also modified the ernw/insinuator version to make it a dual platform exploit.

![winUsers poc](images/BMC_winUsers.png)

## Credits

My exploits are adapted from https://github.com/ernw/insinuator-snippets/tree/master/bmc_bladelogic
- https://www.insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/

Thanks to Nick Bloor for AWS image for testing.

## Vendor links

- https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-windows-rscd-agent-vulnerability-in-bmc-server-automation-cve-2016-5063
- https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-critical-security-issue-in-bmc-server-automation-cve-2016-1542-cve-2016-1543
File Snapshot

 [4.0K]  /data/pocs/c66d81d4797dd3387690153de0e636f5ff7a74d1
├── [4.2K]  BMC_changePwd.py
├── [ 10K]  BMC_getUsers.py
├── [3.4K]  BMC_rexec.py
├── [6.2K]  BMC_winUsers.py
├── [4.0K]  images
│   ├── [ 54K]  BMC_rexec.png
│   └── [ 74K]  BMC_winUsers.png
└── [1.9K]  README.md

1 directory, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.