[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Zoll ePCR v2.6.4 iOS - Multiple Persistent Vulnerabilities

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Zoll ePCR v2.6.4 iOS - Multiple Persistent Vulnerabilities
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 2 Aug 2016 11:14:00 +0200
Document Title:
===============
Zoll ePCR v2.6.4 iOS - Multiple Persistent Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1882


Release Date:
=============
2016-08-01


Vulnerability Laboratory ID (VL-ID):
====================================
1882


Common Vulnerability Scoring System:
====================================
3.5


Product & Service Introduction:
===============================
Designed specifically for first responders, the ZOLL ePCR App for iOS helps you 
capture the most critical patient information quickly and easily.
No more writing vitals or times on a glove or arm - just enter them into ePCR 
with a couple of taps.  Scan drivers licenses, insurance cards, and 
medications and eliminate typing completely. With 510(k) clearance, ZOLL ePCR 
App even uploads 12 leads, vitals, interventions and audio from your 
ZOLL X Series monitor defibrillator.  The ZOLL ePCR App taps into native iPad 
features like voice to text for the dictation of narratives and notes.  
And since the integration with ZOLL’s RescueNet ePCR last summer, data from the 
iPad App flows into the RescueNet system for use in state reporting, 
QA/QI and the billing.

( Copy of the Vendor Homepage: https://www.zolldata.com/epcrapp/  & 
https://itunes.apple.com/us/app/zoll-epcr/id444981159 )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple 
application-side input validation vulnerabilities in the Zoll GmbH ePCR v2.6.4 
mobile iOS application.


Vulnerability Disclosure Timeline:
==================================
2016-08-01:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
ZOLL GmbH (ZOLL Data Systems Inc)
Product: ePCR - Mobile iOS (Web-Application) 2.6.4


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discovered in 
the official Zoll GmbH ePCR v2.6.4 mobile iOS application.
The vulnerability allows local or remote attackers to inject own malicious 
script codes on the application-side of the affected vulnerable module.

The vulnerability is located in the `firstname` and `lastname` input parameters 
of the `Adresse` and `Patientendaten` modules. Local attackers are 
able to inject own malicious script codes to the vulnerable values to 
compromise the affected `Reports` and `Share by Email` modules. The injection 
point of the vulnerability are the vulnerable marked input fields and the 
execution point occurs in the `Report Drucken (Print Report)` on generate 
of the report and in the `Email Versenden (Send Email)` module. Attacker are 
able to share the malicious generated reports in the complete menu and 
can as well to send spoofed malicious emails via the local app.

The security risk of the application-side vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) count of 3.6. 
Exploitation of the persistent web vulnerability requires a low privileged ios 
device account with restricted access and without user interaction. 
Successful exploitation of the vulnerabilities results in persistent phishing 
mails, session hijacking, persistent external redirect to malicious 
sources and application-side manipulation of affected or connected module 
context.

Vulnerable Module(s):
                        [+] Patientendaten (Patient Information)

Vulnerable Parameter(s):
                        [+] Vorname (Firstname)
                        [+] Nachname (Lastname)
                        [+] Adresse (Address)

Affected Module(s):
                        [+] Report Drucken (Print Report)
                        [+] Email Versenden (Send Email)


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local attackers with a low privileged ios 
device account or restricted access and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the vulnerable Zoll ePCR iOS mobile application
2. Open the software
3. Add a new client with malicious script code in the address or first- & 
lastname input parameters
4. Save the entry
5. Open the reports module (last menu entry)
6. Now the payload directly executes in the generated context via java
7. Process to share the context by email with the same effect to the client
8. Successful reproduce of the persistent vulnerabilities!


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable 
name input fields.
Restrict the input fields and disallow the usage of special chars or script 
code tags to prevent persistent injection attacks.
Encode and parse in the print or email mobule with the reports the inner app 
output context to prevent further attacks.
Disallow to convert the email with html or script code context to prevent the 
email spoofing issue with malicious persistent context.


Security Risk:
==============
The security risk of the application-side input validation web vulnerabilities 
in the mobile web-application are estimated as medium. (CVSS 3.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, 
including the warranties of merchantability and capability for a particular 
purpose. Vulnerability-Lab or its suppliers are not liable in any case of 
damage, 
including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised 
of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing 
limitation may not apply. We do not approve or encourage anybody to break any 
licenses, policies, deface websites, hack into databases or trade with stolen 
data.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                                - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx                                - 
admin@xxxxxxxxxxxxxxxxx
Section:    magazine.vulnerability-lab.com      - 
vulnerability-lab.com/contact.php                             - 
evolution-sec.com/contact
Social:     twitter.com/vuln_lab                - facebook.com/VulnerabilityLab 
                                - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php                    - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php         - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. Permission to 
electronically 
redistribute this alert in its unmodified form is granted. All other rights, 
including the use of other media, are reserved by Vulnerability-Lab Research 
Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark of vulnerability-lab team & the 
specific 
authors or managers. To record, list, modify, use or edit our material contact 
(admin@ or research@xxxxxxxxxxxxxxxxxxxxx) to get a ask permission.

                                    Copyright © 2016 | Vulnerability Laboratory 
- [Evolution Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Prev by Date: [FD] Docebo LMS 6.9 - (Moxie) API Calls RST Remote Code Execution Vulnerability
Next by Date: [FD] WinSaber - Unquoted Service Path Privilege Escalation
Previous by thread: [FD] Docebo LMS 6.9 - (Moxie) API Calls RST Remote Code Execution Vulnerability
Next by thread: [FD] WinSaber - Unquoted Service Path Privilege Escalation
Index(es):
- Date
- Thread