ZOLL DefibDashboard Unrestricted Upload

High
Advisory IDL9-42-480PublishedAugust 10, 2021UpdatedAugust 19, 2021
CategoryUnrestricted Upload of File with Dangerous TypeVendorZOLLProductDefibrillator DashboardVersion1.2

Risk Summary

ZOLL's DefibDashboard is a fleet management software for the R-Series of defibrillators. The Wi-Fi enabled defibrillators upload regular maintenance and diagnostic information to this dashboard system for readiness monitoring by biomedical engineering teams.

In affected versions of DefibDashboard a low-privileged user can upload dangerous files to the Device Check File (DCF) facility, resulting in the ability to execute arbitrary commands on the underlying operating system.

For details on this and other responsibly disclosed DefibDashboard vulnerabilities see https://us-cert.cisa.gov/ics/advisories/icsma-21-161-01.

Technical Details

File upload

Files submitted to the DCK facility (at /DefibDashboard/Upload.aspx) are saved to the 'Upload' directory directly beneath the web root (at /DefibDasboard/Upload/).

File upload

Web config payload

Web config payload POST

Because the application places unchecked user-controlled files in an executable environment under the web root, a threat actor can upload a file containing ASP.NET code and the server will process the directives, resulting in remote code execution (RCE).

whomai executuon

In this case, the DefibDashboard application ships in a precompiled state (updatable=false) so simply uploading a new ASPX file into the web root does not result in code execution. Execution is achieved in the context of IIS by uploading a web.config file embedded with ASP code. This technique is discussed further Here