X41 D-Sec GmbH Security Advisory: X41-2020-004

Multiple Vulnerabilities in Indamed Medical Office

Summary and Impact

Indamed Medical Office contains an XSS issue and stores user passwords as unsalted MD5 hashes. This allows to attack users and, in case an attacker gets access to the filesystem, retrieve plain text passwords.

Product Description

Indamed Medical Office allows you to manage a medical office and patients.

Passwords stored as MD5 Hash

Analysis

Indamed Medical Office stores the secret passwords of the users as an MD5 hash in ‘C:\INDAMED\dat\MEDOFF.GDB’. MD5 can be brute-forced efficiently and should not be used for such purposes. Additionally, since no salt is used, rainbow tables can speed up the attack. These can be extracted easily and due to the nature of the database even reveal older hashes.

Proof of Concept

strings MEDOFF.GDB | grep -e “^[0-9a-f]{32}$” | sort | uniq

XSS in Webinterface

Analysis

The HTTP server running on localhost:2019, which is reachable via the nginx server remotely, contains an XSS security flaw, which can be triggered easily via a malicious URL. This might allow an attacker to steal session data or modify the website.
The webserver is only used for the REST-API which might render this attack vector useless.

Proof of Concept

/mo/test<script>alert(1)</script>

Workarounds

A quick workaround might be to add a WAF into the nginx configuration.

Timeline

About X41 D-SEC GmbH

X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.

Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41.