MedDream PACS Premium Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in MedDream PACS Premium version 7.3.3.840. The issue arises in the login.php functionality, where insufficient NTFS file permissions allow users with login access to modify PHP files. By uploading a specially crafted .php file, an attacker can insert shell commands to add a user account to the administrators group, thereby elevating privileges. This vulnerability exploits the fact that the MedDream web interface operates under the 'nt authority\system' account, facilitating the unauthorized addition of administrative rights.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, granting a user administrative rights on the system.

Reproduction

To reproduce this vulnerability, upload a malicious .php file to the MedDream PACS Premium application. The uploaded file should be crafted to exploit the insufficient file permissions by altering the login.php file. Once the file is uploaded, reload the login.php file through the web interface. The application will execute the injected commands, adding the specified user account to the local administrators group.

Remediation

Users are advised to update to the patched version of MedDream PACS Premium, which is available following the vendor's recent update.