CVE-2023-34258 Exploit Step-by-Step: BMC Patrol Remote Code Execution Vulnerability

June 21, 2023
Muhammad Kamran Hasan
CVE-2023-34258 Exploit Step-by-Step: BMC Patrol Remote Code Execution Vulnerability

BMC Patrol is a software application that helps organizations to monitor and manage their IT infrastructure. In March 2023, a vulnerability was discovered in BMC Patrol that could allow an attacker to achieve remote code execution.

Vulnerability: All Patrol instances before update 22.1.00 use a default encryption key. This key is hard-coded in the pconfig binary, which is used to remotely update the configuration of BMC Patrol agents.

Vulnerability exploitation: An attacker could exploit this vulnerability by capturing the traffic between a BMC Patrol agent and the pconfig binary. The traffic would contain the default encryption key, which the attacker could then use to decrypt the configuration data of the BMC Patrol agent.

Exploit PoC:

The configuration of a BMC Patrol agent can be remotely queried using the pconfig binary. The configuration contains the encrypted password of the local Patrol user, which is used to authenticate to the BMC Patrol server.

All Patrol instances before update 22.1.00 use a default encryption key. This key is hard-coded in the pconfig binary, which is used to remotely update the configuration of BMC Patrol agents.

The default encryption key is:

HEX -> 0102030405060708414243444546474861626364656667689192939495969798

The decryption is quite simple and here’s the code in python for it:

Though, we can use cyberchef decrypt the patrol user password

Once the attacker has the decrypted password, they can use it to authenticate to the BMC Patrol server. With a valid authentication, the attacker can then remotely execute code on the BMC Patrol server.

Impact: An attacker who successfully exploits this vulnerability could gain access to sensitive information, such as passwords, database credentials, and other sensitive data.

Mitigation: The vulnerability affects BMC Patrol versions before 22.1.00. BMC has released a patch for this vulnerability, so users should update their BMC Patrol installations to the latest version as soon as possible.

Remediation steps

The following remediation steps can be taken to address CVE-2023-34258:

  • Update BMC Patrol to version 22.1.00 or later.

  • If you cannot update to version 22.1.00, you can apply the following workaround:

  • Disable the "Remote Configuration" feature in BMC Patrol.

  • Block access to the following URLs:

  1. /config/agent

  2. /config/agent/info

Conclusion

CVE-2023-34258 is a serious vulnerability that could allow an attacker to achieve remote code execution on a BMC Patrol system. Users should update their BMC Patrol installations to the latest version as soon as possible to protect themselves from this vulnerability.

References:

CVE-2021-3129 Proof of Concept: In-Depth Exploration of the Laravel Ignition RCE Vulnerability
CVE-2021-3129 Proof of Concept: In-Depth Exploration of the Laravel Ignition RCE Vulnerability
2024-02-14
James McGill
Cracking Containers: Understanding CVE-2024-21626 in runc
Cracking Containers: Understanding CVE-2024-21626 in runc
2024-02-18
James McGill
Unraveling Arbitrary Code Execution in Apache Commons Text (CVE-2022-42889) with PoC
Unraveling Arbitrary Code Execution in Apache Commons Text (CVE-2022-42889) with PoC
2024-01-13
James McGill
CVE-2023-32315: Understanding the Openfire Admin Console Path Traversal Vulnerability
CVE-2023-32315: Understanding the Openfire Admin Console Path Traversal Vulnerability
2024-02-07
James McGill
CVE-2024-23897: A Critical RCE Vulnerability in Jenkins
CVE-2024-23897: A Critical RCE Vulnerability in Jenkins
2024-01-29
James McGill
Demystifying CVE-2021-4034: Unpacking the Polkit pkexec RCE Vulnerability
Demystifying CVE-2021-4034: Unpacking the Polkit pkexec RCE Vulnerability
2024-01-21
James McGill