Headline
CVE-2022-38731: How our Ethical Hacking team discovered a “zero-day” vulnerability
Qaelum DOSE 18.08 through 21.1 before 21.2 allows Directory Traversal via the loadimages name parameter. It allows a user to specify an arbitrary location on the server’s filesystem from which to load an image. (Only images are displayed to the attacker. All other files are loaded but not displayed.) The Content-Type response header reflects the actual content type of the file being requested. This allows an attacker to enumerate files on the local system. Additionally, remote resources can be requested via a UNC path, allowing an attacker to coerce authentication out from the server to the attackers machine.
In our Ethical Hacking team, the day to day work involves putting oneself in the mindset of an attacker and attempting to compromise the agreed upon targets, in order to improve our clients security posture. This often leads to the team finding and exploiting known vulnerabilities and misconfigurations, but also digging deep and attempting to find those vulnerabilities which are not yet known, more commonly known as “zero-day” vulnerabilities.
During a recent internal infrastructure engagement, a member of the Ethical Hacking team (James Taylor) was able to discover one such vulnerability within a third-party web application.
Technical details
In this case, the discovered vulnerability was a blind (meaning no output was observed) arbitrary file read (meaning the attacker could request any file from the system), that could also be used for authentication coercion via a mechanism known as a Universal Naming Convention (UNC) path.
The software in question was Qaelum DOSE, and is described as “…a dose management solution that automatically monitors, evaluates and reports the radiation dose that patients receive for multi-facility, multi-modality and multi-vendor imaging environments”.
The vulnerability
Specifically, DOSE version 18.08 through to 21.1 and before 21.2 allows for absolute file paths to be supplied by an attacker via the “loadimages” route and “name” parameter. This in turn would allow an attacker to display an arbitrary image from the local system, or a remote system through supplying a UNC path such as “\\attackerip\file.jpg”.
Although any file can be requested, only images are displayed to the attacker. Files can be enumerated on the local system however, due to the “Content-Type” header reflecting the actual content type of the requested file. Although enumeration is interesting, the impact in this case is limited.
Increasing the impact
As UNC paths can be used to load remote images, an attacker could set up a malicious SMB server and relay authentication using tools such as “ntlmrelayx.py”. Additionally, when there is a certificate authority in the domain that has the web enrollment feature enabled, it would be possible to perform NTLM relaying to the HTTP endpoint to obtain a certificate and potentially achieve remote code execution on the vulnerable server.
In Summary
This vulnerability is now tracked as CVE-2022-38731 and we recommend that affected clients upgrade to the latest stable, non-vulnerable version. For more detailed information on the issue, please see the advisory at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38731.
If you would like to engage the services of the Ethical Hacking team, and see how they could help to improve your security posture, please contact Stuart Criddle.
Disclosure timeline
Vulnerability discovery - 27/05/2022
Vendor disclosure - 31/05/2022
Vendor fix - 27/06/2022
CVE request - 24/08/2022
CVE assigned - 24/08/2022
Vendor confirms public disclosure - 16/09/2022
Public disclosure - 13/02/2023
Contact us