what you don't know can hurt you

Hyland OnBase DLL Hijacking

Hyland OnBase DLL Hijacking
Posted Sep 8, 2020
Authored by Adaptive Security Consulting

All versions up to and prior to Hyland OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32) suffer from DLL hijacking vulnerabilities.

tags | advisory, vulnerability
systems | windows
MD5 | 1ebced414524995b1fa42746405d452f

Hyland OnBase DLL Hijacking

Change Mirror Download
CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland's response indicates that they are not likely to have fixed the vulnerabilities.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
Hyland OnBase's clients and server are vulnerable to DLL hijacking.

Technical Details
-------------------------------------------------
The Hyland OnBase web client, Unity Client, and server are vulnerable to DLL hijacking. While some DLLs are signed, the signatures aren't validated during runtime allowing attackers to modify, replace, or even insert DLLs into the installation folder. OnBase will then dynamically load all DLLs including any newly created ones.

This vulnerability can be coupled with any of the path traversal vulnerabilities to remotely upload malicious DLLs to the OnBase server. Attackers may exploit this to bypass OnBase security, plant backdoors, or escalate privileges.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" and no known fix is in place.

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on behalf of client, but attempts were ignored


Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close