Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

OpenEMR is a popular open source software for electronic medical records. Obviously, this is extremely sensitive.

In order to compromise this, 3 separate vulnerabilities had to be discovered: command injection, XSS & an auth bypass.

The command injection was inserted during administrative backup feature. The developers thought about protecting about SQLi but not command injection. So, later on, this SQL stored value is added into a bash script, which results in RCE. However, this is an administrative feature! Is this a big deal?

The second finding is an XSS in the users last name. By adding script tags, it is trivial to create an XSS payload. But, this information is only displayed to the current user. So, not a huge deal, right?

This is where it all ties together: the auth bypass. When creating a user, the SESSION_ID is set to ignoreAuth, which makes perfect sense. However, the permissions that are ignored are MUCH more than necessary for user creation. Now, all a user has to do, in order to have arbitrary access to all user account events, is put the user into the registering state!

With the auth bypass to edit arbitrary user information, we can edit the admin username to include an XSS payload! Once the admin visits the site, we can use the XSS to call the administrative functionality that has the command injection in it.

Gotta love these types of reports, when multiple issues are chained together in order to make a seemingly useless authenticated bug impactful. As of recent, it seems like these IoT devices are just full of authentication bypasses!