brianhysell.com

Making a hash of authentication on the way to RCE

Jul 6, 2021
About a year ago ICS-CERT published ICSMA-20-184-01 regarding several vulnerabilities I found in OpenClinic GA , an open source hospital information management system (HIMS), while examining it in search of severe unauthenticated vulnerabilities, especially RCE. As I scrutinized the authentication code in checkLogin.jsp, I noticed an if statement with two different user authentication methods called: initialize and initializeAuto. The former involves (aside: I’ll be using the present tense because that is what I am used to in writeups, but the code we’re discussing is in older versions) a fairly typical “hash input password, then compare to hashed password in DB” routine.