BMC Server Automation RSCD Agent ACL Bypass - Nessus

Medium   Plugin ID: 90998

This page contains detailed information about the BMC Server Automation RSCD Agent ACL Bypass Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 90998
Name: BMC Server Automation RSCD Agent ACL Bypass
Filename: bmc_rscd_acl_bypass.nasl
Vulnerability Published: 2016-03-02
This Plugin Published: 2016-05-10
Last Modification Time: 2019-11-20
Plugin Version: 1.14
Plugin Type: remote
Plugin Family: Misc.
Dependencies: bmc_rscd_detect.nbin

Vulnerability Information

Severity: Medium
Vulnerability Published: 2016-03-02
Patch Published: 2016-02-26
CVE [?]: CVE-2016-1542, CVE-2016-1543, CVE-2016-5063
CPE [?]: cpe:/a:bmc:bladelogic_server_automation_rscd_agent

Synopsis

The BMC Server Automation RSCD agent running on the remote host is affected by a security bypass vulnerability.

Description

The remote BMC BladeLogic Server Automation (BSA) RSCD agent is affected by a security bypass vulnerability due to a failure to properly enforce the ACL. An unauthenticated, remote attacker can exploit this, by ignoring the response to the RemoteServer.info request, to bypass the ACL and execute XML-RPC commands.

MITRE has assigned three different CVE identifiers to this vulnerability. CVE-2016-1542 and CVE-2016-1543 pertain to a variation where the exports file is bypassed, and CVE-2016-5063 concerns a variation where the users file is bypassed.

Note that CVE-2016-1542 and CVE-2016-1543 affect the Linux and Unix variants of RSCD, and CVE-2016-5063 affects the Windows variant.

Solution

The fix for the CVE-2016-1542 and CVE-2016-1543 issues is accomplished by using a BMC Server Automation Compliance Template. Alternatively, these issues can be mitigated by configuring a host-based firewall on the affected system to only accept connections from the BSA infrastructure systems. See the vendor advisory for more details.

The fix for the CVE-2016-5063 issue is accomplished by updating the RSCD agent on the affected systems to version 8.7 P3 or 8.8, whichever version is qualified to work with your Application Server. Alternatively, it can be mitigated by configuring the exports file on the affected system to only accept connections from the BSA infrastructure systems. See the vendor advisory for more details.

Public Exploits

Target Network Port(s): 4750
Target Asset(s): Services/bladelogic_rscd
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the BMC Server Automation RSCD Agent ACL Bypass vulnerability:

  1. Metasploit: exploit/multi/misc/bmc_server_automation_rscd_nsh_rce
    [BMC Server Automation RSCD Agent NSH Remote Command Execution]
  2. Exploit-DB: exploits/multiple/remote/43902.py
    [EDB-43902: BMC BladeLogic 8.3.00.64 - Remote Command Execution]
  3. Exploit-DB: exploits/multiple/remote/43939.rb
    [EDB-43939: BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)]
  4. Exploit-DB: exploits/windows/webapps/43934.py
    [EDB-43934: BMC BladeLogic RSCD Agent 8.3.00.64 - Windows Users Disclosure]
  5. GitHub: https://github.com/NickstaDB/PoC
    [CVE-2016-1542]
  6. GitHub: https://github.com/patriknordlen/bladelogic_bmc-cve-2016-1542
    [CVE-2016-1542: A rebuilt version of the exploit for CVE-2016-1542 and CVE-2016-1543 from ...]
  7. GitHub: https://github.com/patriknordlen/bladelogic_bmc-cve-2016-1542
    [CVE-2016-1543: A rebuilt version of the exploit for CVE-2016-1542 and CVE-2016-1543 from ...]
  8. GitHub: https://github.com/DreadFog/RSCD_CVEs
    [CVE-2016-5063: My research and works about the CVE 2016-5063/1542/1543 about the RSCD agent]
  9. GitHub: https://github.com/bao7uo/bmc_bladelogic
    [CVE-2016-1542: BMC Bladelogic RSCD exploits including remote code execution - CVE-2016-1542, ...]
  10. GitHub: https://github.com/bao7uo/bmc_bladelogic
    [CVE-2016-1543: BMC Bladelogic RSCD exploits including remote code execution - CVE-2016-1542, ...]
  11. GitHub: https://github.com/bao7uo/bmc_bladelogic
    [CVE-2016-5063: BMC Bladelogic RSCD exploits including remote code execution - CVE-2016-1542, ...]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2016-5063
CVSS V2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C
CVSS Base Score:5.0 (Medium)
Impact Subscore:2.9
Exploitability Subscore:10.0
CVSS Temporal Score:4.1 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:4.1 (Medium)
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C
CVSS Base Score:5.3 (Medium)
Impact Subscore:1.4
Exploitability Subscore:3.9
CVSS Temporal Score:4.9 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:4.9 (Medium)

Go back to menu.

Plugin Source

This is the bmc_rscd_acl_bypass.nasl nessus plugin source code. This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. 

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90998);
  script_version("1.14");
  script_cvs_date("Date: 2019/11/20");

  script_cve_id("CVE-2016-1542", "CVE-2016-1543", "CVE-2016-5063");

  script_name(english:"BMC Server Automation RSCD Agent ACL Bypass");
  script_summary(english:"Bypasses ACL to execute XML-RPC commands.");

  script_set_attribute(attribute:"synopsis", value:
"The BMC Server Automation RSCD agent running on the remote host is
affected by a security bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote BMC BladeLogic Server Automation (BSA) RSCD agent is
affected by a security bypass vulnerability due to a failure to
properly enforce the ACL. An unauthenticated, remote attacker can
exploit this, by ignoring the response to the RemoteServer.info
request, to bypass the ACL and execute XML-RPC commands.

MITRE has assigned three different CVE identifiers to this
vulnerability. CVE-2016-1542 and CVE-2016-1543 pertain to a variation
where the exports file is bypassed, and CVE-2016-5063 concerns a
variation where the users file is bypassed.

Note that CVE-2016-1542 and CVE-2016-1543 affect the Linux and Unix
variants of RSCD, and CVE-2016-5063 affects the Windows variant.");
  # https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-critical-security-issue-in-bmc-server-automation-cve-2016-1542-cve-2016-1543
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?674c058b");
  # https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-windows-rscd-agent-vulnerability-in-bmc-server-automation-cve-2016-5063
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?668a5e7a");
  # https://communities.bmc.com/community/bmcdn/bmc-devops/bmc_middleware_automation/blog/2016/03/02/bmc-server-automation-bsa-vulnerabilities-in-unixlinux-rscd-agent-cve-ids-cve-2016-1542-cve-2016-1543
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7e61055b");
  # https://troopers.de/events/troopers16/648_one_tool_to_rule_them_all_-_and_what_can_it_lead_to/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?be481cfc");
  # https://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000dBpnCAE&type=Solution
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5d99b81e");
  script_set_attribute(attribute:"solution", value:
"The fix for the CVE-2016-1542 and CVE-2016-1543 issues is accomplished
by using a BMC Server Automation Compliance Template. Alternatively,
these issues can be mitigated by configuring a host-based firewall on
the affected system to only accept connections from the BSA
infrastructure systems. See the vendor advisory for more details.

The fix for the CVE-2016-5063 issue is accomplished by updating the
RSCD agent on the affected systems to version 8.7 P3 or 8.8, whichever
version is qualified to work with your Application Server.
Alternatively, it can be mitigated by configuring the exports file on
the affected system to only accept connections from the BSA
infrastructure systems. See the vendor advisory for more details.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5063");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'BMC Server Automation RSCD Agent NSH Remote Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/02/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/10");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:bmc:bladelogic_server_automation_rscd_agent");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("bmc_rscd_detect.nbin");
  script_require_ports(4750, "Services/bladelogic_rscd");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("x509_func.inc");
include("misc_func.inc");
include("byte_func.inc");
include("gunzip.inc");
include("bmc_rscd.inc");

appname = 'bladelogic_rscd';
port = get_service(svc:appname, default:4750, exit_on_fail:TRUE);
if(get_port_transport(port) != ENCAPS_IP) audit(AUDIT_LISTEN_NOT_VULN, appname, port);
if (!get_tcp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, "tcp");

# Connect and send intro
soc = rscd_connect(type:"TLSRPC", port:port);
resp = send_xml_intro(soc:soc, port:port);

# If we are given access than we don't need to/can't bypass ACL
if (!isnull(resp))
{
  close(soc);
  exit(1, "RSCD's ACL does not exclude Nessus from issuing XML-RPC commands.");
}

payload = '<?xml version="1.0" encoding="UTF-8"?>\n' +
 '<methodCall>\n' +
 '  <methodName>RemoteServer.getHostOverview</methodName>\n' + 
 '</methodCall>';
send_xmlrpc(payload:payload, soc:soc, port:port);

# The response will have compressed XML
resp = recv(socket:soc, length:1024);
close(soc);

if ("HTTP/1.1 200 OK" >!< resp) audit(AUDIT_INST_VER_NOT_VULN, appname);

decompressed = decompress_payload(resp:resp);
if ("agentInstallDir" >!< decompressed) audit(AUDIT_RESP_BAD, port);

security_report_v4(
  port:port,
  severity:SECURITY_WARNING,
  request:make_list("https://" + get_host_ip() + ":" + port + "/xmlrpc"),
  cmd:"RemoteServer.getHostOverview",
  output:decompressed);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/bmc_rscd_acl_bypass.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\bmc_rscd_acl_bypass.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/bmc_rscd_acl_bypass.nasl

Go back to menu.

How to Run

Here is how to run the BMC Server Automation RSCD Agent ACL Bypass as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Misc. plugin family.
  6. On the right side table select BMC Server Automation RSCD Agent ACL Bypass plugin ID 90998.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl bmc_rscd_acl_bypass.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a bmc_rscd_acl_bypass.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - bmc_rscd_acl_bypass.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state bmc_rscd_acl_bypass.nasl -t <IP/HOST>

Go back to menu.

References

See also:

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file bmc_rscd_acl_bypass.nasl version 1.14. For more plugins, visit the Nessus Plugin Library.

Go back to menu.