How our Ethical Hacking team discovered a “zero-day” vulnerability

In our Ethical Hacking team, the day to day work involves putting oneself in the mindset of an attacker and attempting to compromise the agreed upon targets, in order to improve our clients security posture. This often leads to the team finding and exploiting known vulnerabilities and misconfigurations, but also digging deep and attempting to find those vulnerabilities which are not yet known, more commonly known as “zero-day” vulnerabilities.

During a recent internal infrastructure engagement, a member of the Ethical Hacking team (James Taylor) was able to discover one such vulnerability within a third-party web application.

Technical details

In this case, the discovered vulnerability was a blind (meaning no output was observed) arbitrary file read (meaning the attacker could request any file from the system), that could also be used for authentication coercion via a mechanism known as a Universal Naming Convention (UNC) path.

The software in question was Qaelum DOSE, and is described as “...a dose management solution that automatically monitors, evaluates and reports the radiation dose that patients receive for multi-facility, multi-modality and multi-vendor imaging environments”.

The vulnerability

Specifically, DOSE version 18.08 through to 21.1 and before 21.2 allows for absolute file paths to be supplied by an attacker via the “loadimages” route and “name” parameter. This in turn would allow an attacker to display an arbitrary image from the local system, or a remote system through supplying a UNC path such as “\\attackerip\file.jpg”.

Although any file can be requested, only images are displayed to the attacker. Files can be enumerated on the local system however, due to the “Content-Type” header reflecting the actual content type of the requested file. Although enumeration is interesting, the impact in this case is limited.

Increasing the impact

As UNC paths can be used to load remote images, an attacker could set up a malicious SMB server and relay authentication using tools such as “ntlmrelayx.py”. Additionally, when there is a certificate authority in the domain that has the web enrollment feature enabled, it would be possible to perform NTLM relaying to the HTTP endpoint to obtain a certificate and potentially achieve remote code execution on the vulnerable server.

In Summary

This vulnerability is now tracked as CVE-2022-38731 and we recommend that affected clients upgrade to the latest stable, non-vulnerable version. For more detailed information on the issue, please see the advisory at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38731.

If you would like to engage the services of the Ethical Hacking team, and see how they could help to improve your security posture, please contact Stuart Criddle.
 

Disclosure timeline

  • Vulnerability discovery - 27/05/2022
  • Vendor disclosure - 31/05/2022
  • Vendor fix - 27/06/2022
  • CVE request - 24/08/2022
  • CVE assigned - 24/08/2022
  • Vendor confirms public disclosure - 16/09/2022
  • Public disclosure - 13/02/2023
Follow us

Required fields are marked with an asterisk(*)

By submitting your information, you acknowledge that we may send you business insights that we consider relevant to your interests. Please see our privacy statement for details of why and how we use personal data and your rights (including your right to object and to stop receiving marketing communications from us). To stop receiving marketing communications from us, click on the unsubscribe link in the relevant email received from us or send an email to uk_emailconsent@pwc.com.

Contact us

Stuart Criddle

Stuart Criddle

Ethical Hacking Lead, PwC United Kingdom

Tel: +44 (0)7483 416716

Kris  McConkey

Kris McConkey

Cyber Threat Operations Lead Partner, PwC United Kingdom

Tel: +44 (0)7725 707360

Hide