Guest post from Matthew Price, Security Consultant, Threat Services at NTT Security.

In this post, I will expand on the process of identifying the authentication bypass and account takeover vulnerability in Conserus Workflow Intelligence (CWI) 2.0.2 by McKesson Medical Imaging Company, which is now a Change Healthcare Company. This post will be abbreviated since exploitation is straight-forward.

Requirement:

Username of an account to takeover.

Authentication Bypass:

The vulnerability can easily be exploited by visiting the following URL and replacing <USER> with the username of the account to takeover.

http://<HOST>/peervue/QuickUserPreferences.aspx?u=<USER>

You will notice that it is now possible to change the account’s personal information, like email address, phone number, etc. After applying the change, the attacker will be granted limited impersonation rights as this user. For example, the attacker may be able to visit sections of the application that require authenticated access. However, the attacker will likely find that attempts to use administrative functions will result in an error. Thus, the attacker has access to many areas but not all. It may be possible to manipulate these areas to escalate permissions further, but such exercises are beyond the scope of this post.

Account Takeover: 

If the attacker has even low level credentials to log into CWI, visiting the above-mentioned URL after properly authenticating results in a full takeover of the user’s account and permissions. The low-privileged user will be “forgotten” and CWI will refer to them as the impersonated user’s username and allow the low-privileged user access to any and all functions that the impersonated user has available. With this access, it is trivial to move laterally until access to http://<HOST>/peervue/usermanagement.aspx is obtained, which lists all available users. With this list, the attacker can become all users, including any administrative users.

Remediation 

NTT Security reported the authentication bypass vulnerability and it was assigned the CVE-2017-16776. NTT Security worked with Change Healthcare Company to remediate the vulnerability. A patch is available from Medical Imaging Support at 1-800-663-2533 and International Toll Free Radiology at 00 800 626 20009.

References 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16776