/
/
/
Privilege Escalation Leads to RCE in Medplum

Privilege Escalation Leads to RCE in Medplum

Vulnerability Reports
March 6, 2024
Profile Icon

Jason Franscisco

CVE Number

CVE-2024-29380

Loginsoft ID

Loginsoft-2024-1011

Description

The application “Medplum” is affected by a privilege escalation vulnerability that can lead to the execution of system commands. An attacker with practitioner privileges can elevate their status to a project admin using the ProjectMembership endpoint, enabling them to execute system commands through the bot editor.

CWE

CWE-269: Improper Privilege Management

CWE-94: Improper Control of Generation of Code ('Code Injection')

Affected Versions

< v3.0.7

CVSS

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H : 8.8(High)

Steps To Reproduce
  1. Create a practitioner with non-admin privileges.
  1. Login as practitioner and navigate to the endpoint `/ProjectMembership.`
  1. Click on the ID of the practitioner and navigate to the edit section.

  1. Scroll to the bottom and enable the admin option. By submitting the request, the practitioner will become project administrator.

  1. On reloading the browser, the changes will be reflected.  

  1. Navigate to Project under the admin section, and then proceed to Bots.

  1. Click on the bot’s name and then open the link associated with the bot’s name.

  1. Navigate to the editor section, input the provided payload, and execute the command. This action will trigger a system command, leading to the creation of a file in the document folder.

const { exec } = require('child_process');
  
const path = '/home/ubuntu/Documents'; 
const command = 'touch RCE';

exec(command, { cwd: path }); 
  

Impact

Ability to run arbitrary commands on SYSTEM.

Mitigation:

Remove the option to change admin status or limit access to the ProjectMembership endpoint. Additionally, add filters in the bot editor to prevent the execution of system commands.

Fix

https://github.com/medplum/medplum/pull/4074  

Discovered Date

15 February 2024

Reported Date

19 February 2024

Patched Date

01 March 2024

Credit

Saharsh Agrawal

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter