Exploit the possiblities

OpenEMR 5.0.0 Command Injection / Cross Site Scripting

OpenEMR 5.0.0 Command Injection / Cross Site Scripting
Posted Dec 4, 2017
Authored by Fikri Fadzil, Wan Ikram, Jasveer Singh | Site sec-consult.com

OpenEMR version 5.0.0 suffers from code execution and cross site scripting vulnerabilities.

tags | exploit, vulnerability, code execution, xss
MD5 | ae3d7e59300638cb1a92e34e6480a979

OpenEMR 5.0.0 Command Injection / Cross Site Scripting

Change Mirror Download

SEC Consult Vulnerability Lab Security Advisory < 20171130-1 >
=======================================================================
title: OS Command Injection & Reflected Cross Site Scripting
product: OpenEMR
vulnerable version: 5.0.0
fixed version: 5.0.0 Patch 2 or higher
CVE number: -
impact: Critical
homepage: http://www.open-emr.org/
found: 2017-03-03
by: Wan Ikram (Office Kuala Lumpur)
Fikri Fadzil (Office Kuala Lumpur)
Jasveer Singh (Office Kuala Lumpur)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"OpenEMR is the most popular open source electronic health records and medical
practice management solution. ONC certified with international usage,
OpenEMR's goal is a superior alternative to its proprietary counterparts."

Source: http://www.open-emr.org/


Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, an attacker can
fully compromise the web server which has OpenEMR installed. Potentially
sensitive health care and medical data might get exposed through this attack.

SEC Consult recommends not to attach OpenEMR to the network until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1. OS Command Injection
Any OS commands can be injected by an authenticated attacker with any role.
This is a serious vulnerability as the chance for the system to be fully
compromised is very high.

2. Reflected Cross Site Scripting
This vulnerability allows an attacker to inject malicious client side
scripting which will be executed in the browser of users if they visit the
manipulated site. There are different issues affecting various components.
The flash component has not been fixed yet as OpenEMR is looking for a
replacement component.


Proof of concept:
-----------------
1. OS Command Injection
Below is the detail of a HTTP request that needs to be sent to execute arbitrary
OS commands through "fax_dispatch.php".

URL : http://$DOMAIN/interface/fax/fax_dispatch.php?scan=x
METHOD : POST
PAYLOAD : form_save=1&form_cb_copy=1&form_cb_copy_type=1&form_images[]=x&form_
filename='||<os-commands-here>||'&form_pid=1


2. Reflected Cross Site Scripting
The following URL parameters have been identified to be vulnerable against
reflected cross site scripting:

The following payload shows a simple alert message box:
a)
URL : http://$DOMAIN/library/openflashchart/open-flash-chart.swf
METHOD : GET
PAYLOAD : [PoC removed as no fix is available]

b)
URL :
http://$DOMAIN/library/custom_template/ckeditor/_samples/assets/_posteddata.php
METHOD : POST
PAYLOAD : <script>alert('xss');</script>=SENDF


Vulnerable / tested versions:
-----------------------------
OpenEMR version 5.0.0 has been tested. This version was the latest
at the time the security vulnerability was discovered.


Vendor contact timeline:
------------------------
2017-03-08: Contacting vendor through email.
2017-03-08: Vendor replied with his public key. Advisory sent through secure
channel.
2017-03-17: Asked for a status update from the vendor.
2017-03-17: Vendor confirms the vulnerabilities and working on the fixes.
2017-03-31: Asked for a status update from the vendor.
2017-03-31: Vendor informed that they have fixed OS Command Injection and are
currently working on fixes for Reflected Cross Site Scripting.
2017-04-25: Vendor requesting extension for deadline of 32 days from the
latest possible release date.
2017-05-25: Asked for a status update from the vendor.
2017-05-29: Vendor informed that they are working on the fixes.
2017-06-06: Asked for a status update from the vendor.
2017-06-12: Vendor informed that they added solution into the development
codebase.
2017-07-05: Asked for a status update from the vendor.
2017-07-10: Vendor informed patch is delayed due to another critical bug
fixes.
2017-08-17: Asked for a status update from the vendor. No reply.
2017-08-24: Asked for a status update from the vendor.
2017-08-29: Vendor informed patch will be out soon.
2017-08-30: Asked vendor for specific release date for patch. No reply.
2017-09-08: Asked for a status update from the vendor. No reply.
2017-09-14: Asked for a status update from the vendor.
2017-09-18: Vendor informed that they are testing their patch. No estimation
yet on the patch release date.
2017-10-17: Asked for a status update from the vendor. No reply.
2017-10-30: Asked for a status update from the vendor.
2017-10-31: Vendor informed that the patch will be released as soon as
possible.
2017-11-15: Asked for a status update from the vendor.
2017-11-21: Vendor informed that they are working on other vulnerabilities
2017-11-30: Public release of SEC Consult advisory.


Solution:
---------
The vendor has fixed the code execution issue and XSS 2b) in GIT in March 2017:
https://github.com/openemr/openemr/commit/ee0945a30dbb17ceee82b9b553d7dcb177710ca8#diff-1fdae02fadfcbc6147352cdc7c63279a
The fix has been incorporated in 5.0.0 Patch 2 or higher.
The XSS example 2a (flash) is not yet fixed.

Because of critical security issues (CVE-2017-16540) of other security
researchers it is highly recommended to upgrade to at least version
5.0.0 Patch 6 immediately.

http://www.open-emr.org/wiki/index.php/OpenEMR_Patches


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Jasveer Singh / @2017


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    3 Files
  • 17
    Dec 17th
    13 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close