OpenMRS 2.3 (1.11.4) XML External Entity (XXE) Processing PoC Exploit
Title: OpenMRS 2.3 (1.11.4) XML External Entity (XXE) Processing PoC Exploit
Advisory ID: ZSL-2015-5289
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (4/5)
Release Date: 07.12.2015
OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b))
Apache Tomcat/7.0.26
Apache Tomcat/6.0.36
Apache Coyote/1.1
[10.11.2015] Vendor contacted via http://openmrs.org/help/report-a-bug/.
[10.11.2015] Vendor responds instructing us to create OpenMRS ID and post to developer category on talk.openmrs.org.
[10.11.2015] Issues with registration.
[11.11.2015] Contacting security@openmrs.org
[12.11.2015] Sent information to the vendor on IRC channel.
[14.11.2015] Vendor responds asking more details.
[14.11.2015] Sent details to the vendor.
[16.11.2015] Vendor confirms issues, working on patch.
[25.11.2015] Asked vendor for status update.
[25.11.2015] Vendor informs that patches are done, testing before release probably next week.
[30.11.2015] Vendor releases new modules to address these issues.
[02.12.2015] Vendor releases new official version 2.3.1 to address these issues.
[07.12.2015] Coordinated public security advisory released.
omrs_xxedos(header.xml).payload
[2] https://talk.openmrs.org/t/critical-security-advisory-2015-11-25/3824
[3] https://wiki.openmrs.org/display/RES/Release+Notes+2.3.1
[4] http://openmrs.org/2015/12/reference-application-2-3-1-released/
[5] https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.9.10
[6] https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.10.3
[7] https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.11.5
[8] https://modules.openmrs.org/modulus/api/releases/1308/download/serialization.xstream-0.2.10.omod
[9] https://modules.openmrs.org/modulus/api/releases/1309/download/metadatasharing-1.1.10.omod
[10] https://modules.openmrs.org/modulus/api/releases/1303/download/reporting-0.9.8.1.omod
[11] https://packetstormsecurity.com/files/134700
[12] https://cxsecurity.com/issue/WLB-2015120074
[13] https://www.exploit-db.com/exploits/38896/
[14] https://exchange.xforce.ibmcloud.com/vulnerabilities/108728
[08.12.2015] - Added reference [11], [12] and [13]
[10.12.2015] - Added reference [14]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5289
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (4/5)
Release Date: 07.12.2015
Summary
OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built.Description
The vulnerability is caused due to an error when parsing XML entities within ZIP archives and can be exploited to e.g. disclose data from local resources or cause a DoS condition (billion laughs) via a specially crafted XML file including external entity references.Vendor
OpenMRS Inc. - http://www.openmrs.orgAffected Version
OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0)OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b))
Tested On
Ubuntu 12.04.5 LTSApache Tomcat/7.0.26
Apache Tomcat/6.0.36
Apache Coyote/1.1
Vendor Status
[02.11.2015] Vulnerability discovered.[10.11.2015] Vendor contacted via http://openmrs.org/help/report-a-bug/.
[10.11.2015] Vendor responds instructing us to create OpenMRS ID and post to developer category on talk.openmrs.org.
[10.11.2015] Issues with registration.
[11.11.2015] Contacting security@openmrs.org
[12.11.2015] Sent information to the vendor on IRC channel.
[14.11.2015] Vendor responds asking more details.
[14.11.2015] Sent details to the vendor.
[16.11.2015] Vendor confirms issues, working on patch.
[25.11.2015] Asked vendor for status update.
[25.11.2015] Vendor informs that patches are done, testing before release probably next week.
[30.11.2015] Vendor releases new modules to address these issues.
[02.12.2015] Vendor releases new official version 2.3.1 to address these issues.
[07.12.2015] Coordinated public security advisory released.
PoC
zipity.pyomrs_xxedos(header.xml).payload
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868[2] https://talk.openmrs.org/t/critical-security-advisory-2015-11-25/3824
[3] https://wiki.openmrs.org/display/RES/Release+Notes+2.3.1
[4] http://openmrs.org/2015/12/reference-application-2-3-1-released/
[5] https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.9.10
[6] https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.10.3
[7] https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.11.5
[8] https://modules.openmrs.org/modulus/api/releases/1308/download/serialization.xstream-0.2.10.omod
[9] https://modules.openmrs.org/modulus/api/releases/1309/download/metadatasharing-1.1.10.omod
[10] https://modules.openmrs.org/modulus/api/releases/1303/download/reporting-0.9.8.1.omod
[11] https://packetstormsecurity.com/files/134700
[12] https://cxsecurity.com/issue/WLB-2015120074
[13] https://www.exploit-db.com/exploits/38896/
[14] https://exchange.xforce.ibmcloud.com/vulnerabilities/108728
Changelog
[07.12.2015] - Initial release[08.12.2015] - Added reference [11], [12] and [13]
[10.12.2015] - Added reference [14]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
