Privilege Escalation Leads to RCE in Medplum
CVE Number
CVE-2024-29380
Loginsoft ID
Loginsoft-2024-1011
Description
The application “Medplum” is affected by a privilege escalation vulnerability that can lead to the execution of system commands. An attacker with practitioner privileges can elevate their status to a project admin using the ProjectMembership endpoint, enabling them to execute system commands through the bot editor.
CWE
CWE-269: Improper Privilege Management
CWE-94: Improper Control of Generation of Code (‘Code Injection’)
Affected Versions
< v3.0.7
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H : 8.8(High)
Steps To Reproduce
- Create a practitioner with non-admin privileges.
- Login as practitioner and navigate to the endpoint `/ProjectMembership.`
- Click on the ID of the practitioner and navigate to the edit section.
- Scroll to the bottom and enable the admin option. By submitting the request, the practitioner will become project administrator.
- On reloading the browser, the changes will be reflected.
- Navigate to Project under the admin section, and then proceed to Bots.
- Click on the bot’s name and then open the link associated with the bot’s name.
- Navigate to the editor section, input the provided payload, and execute the command. This action will trigger a system command, leading to the creation of a file in the document folder.
const { exec } = require(‘child_process’);
const path = ‘/home/ubuntu/Documents’;
const command = ‘touch RCE’;
exec(command, { cwd: path });
Impact
Ability to run arbitrary commands on SYSTEM.
Mitigation:
Remove the option to change admin status or limit access to the ProjectMembership endpoint. Additionally, add filters in the bot editor to prevent the execution of system commands.
Fix
https://github.com/medplum/medplum/pull/4074
Discovered Date
15 February 2024
Reported Date
19 February 2024
Patched Date
01 March 2024
Credit
Saharsh Agrawal
The post Privilege Escalation Leads to RCE in Medplum appeared first on Loginsoft Research.
Article Link: Privilege Escalation Leads to RCE in Medplum - Loginsoft Research