- The Echo Group
- ShareCare Version 8.15.5
The ShareCare application is susceptible to SQL injection vulnerabilities when processing remote input from both authenticated and unauthenticated users, leading to the ability to bypass authentication, exfiltrate Structured Query Language (SQL) records, and manipulate data.
The ShareCare TextReader feature is susceptible to a local file inclusion vulnerability when processing remote input from an authenticated user, leading to the ability to read arbitrary files on the server file systems as well any files accessible via Universal Naming Convention (UNC) paths.
The ShareCare application does not perform authentication or authorization checks when accessing a subset of sensitive resources, leading to the ability for unauthenticated users to access pages that are vulnerable to attacks such as SQL injection.
The ShareCare file upload feature is susceptible to an unrestricted file upload vulnerability when processing remote input from an authenticated user, leading to the ability for arbitrary files to be written to arbitrary file system locations on the Z: drive (a hard-coded drive letter where ShareCare application files reside) and remote code execution as the ShareCare service user (NT AUTHORITY\SYSTEM).
The ShareCare UnzipFile feature is susceptible to a command argument injection vulnerability when processing remote input from an authenticated user, leading to the ability to inject arbitrary arguments to 7z.exe.
These issues have been addressed in the ShareCare 9.0.1 release, which has been provided to all customers of The Echo Group.
Theses issues were found by Stephen Breen and Nick Nam of Atredis Partners
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33578
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36123
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36124
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36121
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36122
- https://www.echobh.com/capabilities/california-county-solution/
- 2021-02-24: Atredis Partners sent an initial notification to vendor, including draft advisory
- 2021-02-24: Vendor confirmed receipt of the advisory
- 2021-03-23: Atredis Partners asked vendor for a status update
- 2021-04-01: Atredis notified vendor of the upcoming CERT/CC disclosure
- 2021-04-06: Vendor organized meeting to discuss the vulnerability
- 2021-04-07: Atredis Partners met with the vendor and vendor committed to addressing the findings
- 2021-04-12: Atredis reported the vulnerability to CERT/CC.
- 2021-04-14: Atredis Partners extended the disclosure date to June 11, 2021 after discussion with the vendor
- 2021-04-19: Vendor met with Atredis and reviewed code changes that indicated that the vulnerabilities had been mitigated
- 2021-05-21: Atredis Partners extended the disclosure date to July 12, 2021 after additional discussion with vendor
- 2021-07-12: Atredis published this advisory
The ShareCare application has systemic issues with SQL injection vulnerabilities. Following is a code snippet from /General/UserInterface/menu_registry_dev.cfm showing a common pattern found throughout ShareCare when retrieving SQL records:
<cfquery name="editPage" datasource="#Page.DSN#">
SELECT *
FROM menu
WHERE menu_ID = #menu_ID#
</cfquery>The cfquery ColdFusion Markup Language (CFML) tag is used to construct an SQL query by concatentating user-supplied input in the form of a Uniform Resource Locator (URL) parameter named #menu_ID#. It is possible to inject arbitrary SQL statements as values for menu_ID to exfiltrate and manipulate arbitrary data.
Further, SQL injection vulnerabilities extend to session validation logic, allowing unauthenticated attackers to bypass authentication.
<!--- Retrieve the user's session id --->
<cfquery name="GetSessionID" datasource="#Page.DSN#">
SELECT
session_ID
FROM
Session
WHERE
token LIKE '#SCtoken#'
</cfquery>However, because the GetSessionID query uses the LIKE operator to validate session_ID, exploiting SQL injection is not necessary to bypass authentication. Instead, existing sessions can be hijacked by setting a session cookie (SCToken) value containing SQL wildcards such as % to match an existing SCToken.
/General/TextReader/TextReader.cfm accepts two parameters named action and textFile. action can be one of save or view and textFile can be assigned a full file path such as C:\path\file.ext. ShareCare does not validate, sanitize, or limit the value for textFile, allowing an attacker to read arbitrary files by specifying file system paths or UNC paths like \\server\share\path\file.ext.
While ShareCare implements an authentication and authorization system using role-based access controls, the controls are not consistently applied to all potentially sensitive pages. The lack of authentication for some pages exposes ShareCare to unauthenticated SQL injection attacks.
Following is a non-exhaustive list of pages that are accessible without authentication. These pages are highlighted as they are also vulnerable to SQL injection attacks that could lead to the remote compromise of ShareCare and patient data:
- /General/UserInterface/submenus.cfm
- /General/UserInterface/JobClockCheck_Sel.cfm
- /General/UserInterface/JobClockDisplay_Sel.cfm
- /General/UserInterface/helpDictionaryGet.cfm
- /General/UserInterface/helpContent.cfm
- /General/UserInterface/TabBar.cfm
/Access/DownloadFeed_Mnt/FileUpload_Upd.cfm handles file upload requests and saves uploaded files to a directory named Z:\Data\[Page.DSN]\200\Parser\Feeddata where [Page.DSN] represents the data source name. The name of the file is taken from a form parameter called name1 (a user-controlled value) that is appended to Z:\Data\[Page.DSN]\200\Parser\Feeddata to form the destination path for the uploaded file:
File Upload Code from FileUpload_upd.cfm:
<cfset name = Form.name1>
<cfset destinationDir = "Z:\Data\" & Page.DSN & "\200\Parser\Feeddata">
<cfset TempFileArray = DirectoryList(gettempdirectory(),false,"name","neotmp*.tmp")>
<cffile action="copy" destination="#destinationDir#\#name#" source="#TempFileArray[1]#"To protect against path traversal attacks, ShareCare processes the name1 value using a backslash (\) filter and extracts only the characters after the final \, if it exists.
Backslash Filtering from FileUpload_upd.cfm:
<cfloop condition="Find('\', name) neq 0">
<cfset name = Right(name, Len(name) - Find("\", name))>
</cfloop>However, because Windows also accepts a forward slash (/) as a path delimiter the backslash filter can be easily bypassed. By prefixing the value of name1 with a series of ../ characters, an attacker can traverse the Z: drive directory structure and upload arbitrary files to arbitrary directories.
/Access/EligFeedParse_Sup/UnzipFile_Upd.cfm uses a cfexecute tag to execute the 7z.exe command-line utility. UnzipFile_upd.cfm accepts a ZIP password as a parameter named Form.zippass that is then passed to 7z.exe without sanitization or other restrictions:
<cfexecute name = "Z:\cfml\General\7Zip\7z.exe"
arguments = " e #expath#\#filename#.ZIP -y -p#Form.zippass# -o#expath#"
timeout = "0" outputfile="z:\logs\7Zip.log">
</cfexecute>