OpenEMR 5.0.1.3 Arbitrary File Actions

Back in 2018, a group of security researchers and I decided to try our hands at OpenEMR and find security vulnerabilities.The full report can be found here.This a very good read and I recommend reading it in its entirety. However this blog post is just documenting my contribution to the project.The following are the three CVEs I received in the collaboration. These were all responsibly disclosed and patched so upgrading to the latest version would be well advised.

1. CVE-2018-15140-Authenicated Arbitrary Read

 Vulnerable Code:

  if ($_POST['mode'] == 'get'){
     echo file_get_contents($_POST['docid']);
     exit;
  }

This is a vulnerability that allows an attacker to make a malicious request to /portal/import_template.php on a unpatched instance of OpenEMR.The result of this request is an arbitrary file read of a local file located on the file system.This vulnerability was possible due to the application passing user input into file_get_contents() without any sanitization if the parameter mode is set with get as its value. This result of this input,which is the local file, was then echoed back in the html response.

2. CVE-2018-15142-Authenicated Arbitrary Write

Vulnerable Code:

} else if ($_POST['mode'] == 'save') {
    file_put_contents($_POST['docid'], $_POST['content']);
    exit(true);
}

This is an vulnerability in /portal/import_template.php which allows an attacker to write php files to a local file system.This works if the parameter mode is set to save. If that is the case the post parameters docid and content are passed to file_put_contents() without any sanitization.The docid parameter is the file name and the content parameter includes the malicious PHP code. This by itself doesn’t have that much impact since you cannot execute the file, but when paired up with the previously found arbitrary file read, leads to remote code execution.

3. CVE-2018-15141- Authenticated Arbitrary File Delete

Vulnerable Code:
} else if ($_POST['mode'] == 'delete') {
     unlink($_POST['docid']);
     exit(true);
 }

This is an vulnerability also in /portal/import_template.php which allows an attacker to delete any file in the system if the filename is known and the permissions to delete are allowed.This is possible when the POST parameter mode is set to delete. The docid parameter which contains the file name specified by the attacker is then passed to unlink() without sanitation.

Thank you for reading and hope you enjoyed.You can find POCs for any one of these on ExploitDB, located here.

Previous
Previous

A Tale of a Web Cache Poisoning to Account Takeover Exploit Chain