Guest post from Matthew Price, Security Consultant, Threat Services at NTT Security.
In this post, I will expand on the process of identifying XML External Entity (XXE) injection in Conserus Image Repository (CIR) 126.96.36.199 by McKesson Medical Imaging Company, which is now a Change Healthcare Company. As this is my first blog post for NTT Security, I intend to establish my stylometric tone of avoiding unnecessary words.
CIR is designed as a .NET web application for medical personnel to archive, manage, and access imaging information across disparate healthcare enterprises. Organizations using CIR will typically find it only accessible via the internal network as it is not intended to have a public facing interface. The finding explanation described here was likewise discovered via access to an organization’s internal network which had access to CIR via VPN.
After spidering the application, Burp Suite notified me of base64 encoded data being passed in a parameter of a POST request to “/HmiWebService/InfraService.svc.”
Burp Suite Base64-encoded data alert
Specifically, the “Filebytes” parameter triggered the Base64 alert. Below are the original post request and the Base64 decoding of the “Filebytes” parameter found in the alert.
Original request to InfraService.svc with the Base64 encoded FileBytes parameter
Base64 decoding of the data in the original FileBytes parameter yields this XML
The next step after finding XML in an unauthenticated post request is to determine whether it is vulnerable to XXE. To do this, I created new base64 encoded XML data which commands the XML parser located on the CIR server to obtain a remote Document Type Definition (DTD) file via a fictitious subdomain on my web server. By watching my webserver’s DNS log for the fictitious domain, I can determine whether the CIR server requested the DTD file, and, thus, if it is vulnerable to XXE.
Pre-Base64 encoded XML to determine if vulnerable
POST request of altered Base64 encoded XMLin the FileBytes parameter
DNS log on webserver “adversary.site” showing CIR server requesting a fictitious subdomain
Since the CIR server requested the fictitious file, I could safely assume the server is vulnerable to XXE injection. To proceed to exploitation, I crafted the XML request to obtain the contents of the DTD file “ev.xml” hosted at http://adversary.site/ev.xml. The DTD file contents instructed the XML parser to read the contents of the operating system’s “win.ini” file and send those contents, appended as a URL parameter named “data”, to http://adversary.site/ex.php.
Pre-Base64 encoded XXE injection to request ev.xml
Contents of ev.xml
Contents of ex.php used to parse incoming file contents via “data” parameter
After everything was set up, I replaced the contents of the “FileBytes” parameter with the Base64 encoded XXE injection and sent the POST request. Execution of request resulted in obtaining the contents of the CIR server’s “win.ini” file.
XXE Request to obtain “win.ini” file contents
Contents of the “win.ini” captured via “ex.php”
Finally, since CIR is a .NET application, it is possible to run Responder on the attacker’s web server to obtain the username and hashed password of the application user. By running Responder on the attacker’s web server, “adversary.site” in this case, and using the same XXE injection as before. The application user attempting to authenticate to what it believes is a file share ultimately provides its credentials to gain access.
CIR server attempting to authenticate tofictitious file share
NTT Security reported the XXE vulnerability and it was assigned the CVE-2017-14101. NTT Security worked with Change Healthcare Company to remediate the vulnerability. A patch is available from Medical Imaging Support at 1-800-663-2533 and International Toll Free Radiology at 00 800 626 20009.