UBICOD Medivision Digital Signage 1.5.1 Privilege Escalation Through Authorization Bypass
Title: UBICOD Medivision Digital Signage 1.5.1 Privilege Escalation Through Authorization Bypass
Advisory ID: ZSL-2020-5575
Type: Local/Remote
Impact: Privilege Escalation
Risk: (4/5)
Release Date: 19.07.2020
PHP/5.5.9-1ubuntu4.22
[21.06.2020] Vendor contacted.
[18.07.2020] No response from the vendor.
[19.07.2020] Public security advisory released.
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/185537
[3] https://www.exploit-db.com/exploits/48684
[24.07.2020] - Added reference [1], [2] and [3]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2020-5575
Type: Local/Remote
Impact: Privilege Escalation
Risk: (4/5)
Release Date: 19.07.2020
Summary
Medivision is a service that provides everything from DID operation to development of DID (Digital Information Display) optimized for hospital environment and production of professional contents, through DID product installation, image, video content planning, design work, and remote control. This is a one-stop solution that solves management at once.Description
The application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by navigating to /html/user (via IDOR) page sending an HTTP GET request setting the parameter 'ft[grp]' to integer value '3' gaining super admin rights.Vendor
UBICOD Co., Ltd. | MEDIVISION INC. - http://www.medivision.co.krAffected Version
Firmware 1.5.1 (2013.01.3)Tested On
Apache/2.4.7 (Ubuntu)PHP/5.5.9-1ubuntu4.22
Vendor Status
[19.06.2020] Vulnerability discovered.[21.06.2020] Vendor contacted.
[18.07.2020] No response from the vendor.
[19.07.2020] Public security advisory released.
PoC
ubicod_privesc.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/158479/UBICOD-Medivision-Digital-Signage-1.5.1-Privilege-Escalation.html[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/185537
[3] https://www.exploit-db.com/exploits/48684
Changelog
[19.07.2020] - Initial release[24.07.2020] - Added reference [1], [2] and [3]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk