BMC FootPrints ITSM VIEWSTATE Deserialization Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in BMC FootPrints ITSM versions 20.20.02 prior to 20.24.01.001. This vulnerability arises from the deserialization of untrusted data in the ASP.NET servlet's VIEWSTATE handling, allowing authenticated attackers to execute arbitrary code and fully compromise the application. Exploitation involves supplying crafted serialized objects to the VIEWSTATE parameter, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where BMC FootPrints ITSM is running.

Reproduction

The vulnerability can be reproduced by first bypassing authentication to obtain a security token cookie. This can be done by sending a request to the 'passwordreset/request/' endpoint, which responds with the 'SEC_TOKEN' cookie. Once authenticated, the vulnerability can be exploited by sending a POST request to the 'aspnetconfig' endpoint with a crafted VIEWSTATE parameter that includes a serialized object designed to exploit the deserialization vulnerability. The request must include the 'SEC_TOKEN' cookie to maintain the authenticated session.

Remediation

Users can upgrade to BMC FootPrints ITSM versions 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, or 20.24.01 to address this vulnerability.