[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Zoll ePCR v2.6.4 iOS - Multiple Persistent Vulnerabilities

Document Title:
Zoll ePCR v2.6.4 iOS - Multiple Persistent Vulnerabilities

References (Source):

Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Product & Service Introduction:
Designed specifically for first responders, the ZOLL ePCR App for iOS helps you capture the most critical patient information quickly and easily.
No more writing vitals or times on a glove or arm - just enter them into ePCR with a couple of taps.  Scan drivers licenses, insurance cards, and 
medications and eliminate typing completely. With 510(k) clearance, ZOLL ePCR App even uploads 12 leads, vitals, interventions and audio from your 
ZOLL X Series monitor defibrillator.  The ZOLL ePCR App taps into native iPad features like voice to text for the dictation of narratives and notes.  
And since the integration with ZOLL’s RescueNet ePCR last summer, data from the iPad App flows into the RescueNet system for use in state reporting, 
QA/QI and the billing.

( Copy of the Vendor Homepage: https://www.zolldata.com/epcrapp/  & https://itunes.apple.com/us/app/zoll-epcr/id444981159 )

Abstract Advisory Information:
The vulnerability laboratory core research team discovered multiple application-side input validation vulnerabilities in the Zoll GmbH ePCR v2.6.4 mobile iOS application.

Vulnerability Disclosure Timeline:
2016-08-01:	Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Affected Product(s):
ZOLL GmbH (ZOLL Data Systems Inc)
Product: ePCR - Mobile iOS (Web-Application) 2.6.4

Exploitation Technique:

Severity Level:

Technical Details & Description:
Multiple persistent input validation web vulnerabilities has been discovered in the official Zoll GmbH ePCR v2.6.4 mobile iOS application.
The vulnerability allows local or remote attackers to inject own malicious script codes on the application-side of the affected vulnerable module.

The vulnerability is located in the `firstname` and `lastname` input parameters of the `Adresse` and `Patientendaten` modules. Local attackers are 
able to inject own malicious script codes to the vulnerable values to compromise the affected `Reports` and `Share by Email` modules. The injection 
point of the vulnerability are the vulnerable marked input fields and the execution point occurs in the `Report Drucken (Print Report)` on generate 
of the report and in the `Email Versenden (Send Email)` module. Attacker are able to share the malicious generated reports in the complete menu and 
can as well to send spoofed malicious emails via the local app.

The security risk of the application-side vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6. 
Exploitation of the persistent web vulnerability requires a low privileged ios device account with restricted access and without user interaction. 
Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious 
sources and application-side manipulation of affected or connected module context.

Vulnerable Module(s):
			[+] Patientendaten (Patient Information)

Vulnerable Parameter(s):
			[+] Vorname (Firstname)
			[+] Nachname (Lastname)
			[+] Adresse (Address)

Affected Module(s):
			[+] Report Drucken (Print Report)
			[+] Email Versenden (Send Email)

Proof of Concept (PoC):
The vulnerability can be exploited by local attackers with a low privileged ios device account or restricted access and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the vulnerable Zoll ePCR iOS mobile application
2. Open the software
3. Add a new client with malicious script code in the address or first- & lastname input parameters
4. Save the entry
5. Open the reports module (last menu entry)
6. Now the payload directly executes in the generated context via java
7. Process to share the context by email with the same effect to the client
8. Successful reproduce of the persistent vulnerabilities!

Solution - Fix & Patch:
The vulnerability can be patched by a secure parse and encode of the vulnerable name input fields.
Restrict the input fields and disallow the usage of special chars or script code tags to prevent persistent injection attacks.
Encode and parse in the print or email mobule with the reports the inner app output context to prevent further attacks.
Disallow to convert the email with html or script code context to prevent the email spoofing issue with malicious persistent context.

Security Risk:
The security risk of the application-side input validation web vulnerabilities in the mobile web-application are estimated as medium. (CVSS 3.5)

Credits & Authors:
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)

Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx 	- research@xxxxxxxxxxxxxxxxxxxxx 				- admin@xxxxxxxxxxxxxxxxx
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@xxxxxxxxxxxxxxxxxxxxx) to get a ask permission.

				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™

SERVICE: www.vulnerability-lab.com