X41 D-Sec GmbH Security Advisory: X41-2020-003

Multiple Vulnerabilities in Epikur

Summary and Impact

Several flaws regarding authentication have been identified in Epikur, which allow attackers to access sensitive information. Among the issues identified is a backdoor password, weak password hashes and hardcoded credentials.

Product Description

Epikur allows you to manage a medical office and patients.

Backdoor Password

Analysis

The Epikur server contains the checkPasswort() function that, upon user login, checks the submitted password against the user password’s MD5 hash stored in the database. It is also compared to a second MD5 hash, which is the same for every user. If the submitted password matches either one, access is granted.

public boolean checkPasswort(String otherPassword) {
  return (otherPassword.equals(this.passwd) || otherPassword.equals("mhEVfZUMEwwvr8b9SEpLhA=="));
}

Brute-forcing the second hash reveals that the password 3p1kursupport will allow you to login as any user.

Passwords stored as MD5 Hash

Analysis

Epikur stores the secret passwords of the users as an MD5 hash in the database. MD5 can be brute-forced efficiently and should not be used for such purposes. Additionally, since no salt is used, rainbow tables can speed up the attack.

Glassfish Administrator Password Not Set

Analysis

A Glassfish 4.1 server with default configuration is running on TCP port 4848. No password is required to access it with the administrator account.

Timeline

About X41 D-SEC GmbH

X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.

Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41.