ZOLL DefibDashboard Unrestricted Upload – Level Nine Group
High
Advisory ID:
L9-42-480
First Published:
August, 10th, 2021
Last Updated:
January, 22nd, 2024
Version:
1.2
Category:
Unrestricted Upload of File with Dangerous Type
Vendor:
ZOLL
Product:
Defibrillator Dashboard
Risk Summary
ZOLL’s DefibDashboard is a fleet management software for the R-Series of defibrillators. The Wi-Fi enabled defibrillators upload regular maintenance and diagnostic information to this dashboard system for readiness monitoring by biomedical engineering teams.
In affected versions of DefibDashboard a low-privileged user can upload dangerous files to the Device Check File (DCF) facility, resulting in the ability to execute arbitrary commands on the underlying operating system.
Files submitted to the DCK facility (at /DefibDashboard/Upload.aspx) are saved to the ‘Upload’ directory directly beneath the web root (at /DefibDasboard/Upload/).
Web config payload
Because the application places unchecked user-controlled files in an executable environment under the web root, a threat actor can upload a file containing ASP.NET code and the server will process the directives, resulting in remote code execution (RCE).
In this case, the DefibDashboard application ships in a precompiled state (updatable=false) so simply uploading a new ASPX file into the web root does not result in code execution. Execution is achieved in the context of IIS by uploading a web.config file embedded with ASP code. This technique is discussed further Here
