Local Root Exploit in HospitalRun Software
ฝัง
- เผยแพร่เมื่อ 9 มิ.ย. 2024
- Let's talk about a "security flaw in hospital software that allows full access to medical devices". This issue was disclosed on LinkedIn and included a full exploit code. Let's use this app as an example on how to find a macOS privilege escalation and learn how local root exploits can work.
Print BINGO sheet: / 1682650394227351552
Sources:
Original LinkedIn Post: web.archive.org/web/202304240...
The Exploit code: 0day.today/exploit/38531
"The project has been deprecated for 2 years. Version 1.0.0-beta has been an EOL for at least 5 years" - developer statement: / 1650059269939552256
My references finding priv esc issues in macOS apps:
github.com/cure53/Publication...
github.com/cure53/Publication...
github.com/cure53/Publication...
github.com/cure53/Publication...
Help me pay for any legal trouble in case somebody wants to sue me (advertisement): shop.liveoverflow.com/
Chapters:
00:00 - Intro: Practice Research with Existing Issues
01:45 - HospitalRun Functionality
03:07 - What is a Local Root Exploit?
05:49 - Typical macOS Priviledge Escalation Issues
09:23 - Looking for Priviledged Helper in HospitalRun
10:10 - My Experience in finding Local Root Exploits on macOS
11:46 - Threat Modeling and Common Deployments
13:11 - Was this an April Fools Joke?
14:18 - Analysing and Cleaning Up The Exploit Code
17:51 - Reading Comments on LinkedIn
19:29 - BINGO!
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
2nd Channel: / liveunderflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Streaming: twitch.tvLiveOverflow/
→ TikTok: / liveoverflow_
→ Instagram: / liveoverflow
→ Blog: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
When the author's comment said- "[This exploit] can change your blood group". I honestly believed this was an April Fool's joke for a second...
Will melt your face right off your skull,
And make your iPod only play Jethro Tull,
And tell you knock-knock jokes while you're trying to sleep,
And make you physically attracted to sheep,
Steal your identity and your credit card,
Buy you a warehouse full of pink leotards,
Then cause a major rift in time and space,
And leave a bunch of Twinkie wrappers all over the place!
- “Virus Alert” by Weird Al Yankovic
The sad thing here is that this isn't a joke. It's just Jean Pereira being an infosec fraud.
liveoverflow just made this so exciting!
He made a video about him on LiveUnderflow (in german)
The "it's not an April Fools joke" to "it is" to "it is not" was too good 😂
@@zorkman777 It was not. This guy does this regularly.
@@MartinHaunschmid So it was neither?
The joke is that LiveOverflow thought it was an April fools joke due to various reasons. It turns out that the guy on LinkedIn was serious, his report was not an April fool's joke.
As someone who installed critical infrastructure around the health care sector for a while here my heart was racing.
@@JohannaMueller57 Every request i've forwarded to health care equipment has fallen on deaf ears. Somehow these companies who charge a mint for products have no intentions of fixing life saving equipment running with admin/admin over http, then advocating for it to be put on a corporate WAN.
As for leaving it's not some "if people start leaving they will fix problems" - It's more they'll replace you with people who don't know or don't care. The people who make products and install them are rarely the same company.
Sad truth, but hey.
Thank you for rekindling my disgust towards the LinkedIn community
Ive seen Jean Pereira too many times on my linkedin feed and I just have to cringe every single time. I also love how he claims that he has learned everything himself and that he doesnt need any cybersecurity education 😂
The mic drop at 11:40 is amazing
Thank you for your videos and hard work! Your channel covers a lot of technical details and professional knowledge that is really hard to find on the internet (in the approachable way) and which I deeply enjoy!
"On Mac, like many other Linux-distros, ..." LMAO
So if I understood it correctly, that guy executed that program as root, then used root access to patch his custom code into the executable which opens up a TCP server. Using netcat he then connected to that server as user and executed privileged commands? This would work in every application which uses a non-compiled JIT language... Basically a really weird flex, probably to get some followers and sell his software?
not just JIT programs, it literally works on every single executable (its just a bit more complicated to patch binary code into a compiled program but you can still do it)
basically this guy just claimed "sudo" was a privilege escalation technique lmao
liveoverflow also said that there are no privileged processes 11:03
He isn't wrong lol@@DFsdf3443d
Raymond Chen of Microsoft does an irregular blog series called "The other side of the airtight hatchway" meaning that a "security vulnerability" reported would be great if it could actually get you to the other side of the hatch (root/admin). I think in this case using sudo to run an app as root that isn't designed for that counts, since you have to already enter your credentials for sudo. And if you do that, you could just use sudo to run a malicious app directly, no need for hospital run at all.
Imagine my vuln writeup:
You have to beg them to misuse the application but THEN...
@@hyronharrison8127 To be fair, that's the most common way it's done. We call it "social engineering." A lot of applications will actually refuse to run if they detect escalated privileges specifically to protect users from their own misguided misuse.
That's all very well, but there are a lot of cases where people do run apps as root, even though they shouldn't, because it's "easier". And in a case like this one, it's a problem to have even a privilege escalation to whatever user the software is run as. If I can become that user, I can modify patient data, even if I can't take over the machine.
So was the original guy just spreading misinformation?
@@UC1kVaZyvOs39Y it's been two month from your comment, but you hopefully see this. I know people that want to make business with that guy. Can you give me some more detailled information why to not make business with him? appreciate it
Even in a situation like this, I find you inspirational. Thanks for your videos and content
Awesome journey! I literately feel it like a real research! Love the video, thanks!
The bingo middle finger got me ngl.
Bingo. Thanks for the video. Its amazing explain a lot about some hype that coming and go in cyber security.
> Replace executable with your own modified one.
> Run as root.
> Profit 1000 linkedin karma from reactionary dimwits.
First Name: Live
Last Name: Overflow
Reason for visit: Brain too big.
Hahahahahaha nice
Dude, changing a physical file is considered a vuln or even a 0-day? WTF.
Yeah, but the vid you did on leeroy getting kinda fooled by JP made it a bit clearer to me. Big UP and many thanks for this enlightenment!
Maybe?? If thr electron binary was run as root but the asar file was world writable itd make sense. But its not ...
Einfach nur danke für dieses Video!!
and that is why specifying d/m/y or m/d/y is important
after working for US customer for 10+ years every time i see date like 06-04-2023 my brain refuses to accept such date format
I just assume it can be both
if I need to record a date somewhere I use 2023-06-04
@@Z3rgatul that's totally, fine, either go big to small or small to big. But m/d/y is ludicrous, same goes for most imperial measurements.
Always yyyy-mm-dd
No matter how you write that date it was not April 1st
4:07 "Now on mac, like many other linux distros," hmmm
0daytoday is an ExploitDB clone and the admin tricks people into buying fake exploits. All of the user accounts are the same person, there are videos about this. Great video LO! Just wanted to warn people of this...
Truly an informative, comprehensive and entertaining video + Bingo. One of my favorites, thanks for the great effort. Congratulations pal!
Wait what...that was a great suspense 😂
11:46 so Privilege Escalation is more of a Privilege Declaration, on to or via a root daemon.
It's not user becoming root, it’s user communicating through an already root system.
In a real attack, it could be a program, not a human user. So it's a virus that gets onto the target machine in a non-root way (like in a mail attachment), and then "escalates" itself by forcing the root daemon to... for example, install the command "run this virus as root" into the system's task scheduler, so that it's launched on every system restart.
Really good Video.
These kind of open sources may be used in testing environments in companies.
The most useful thing is to use them as 3rd party vendors for integration testing purposes.
So it may be not viable for production but students and testing teams may find it useful.
What>???
Was the original post a joke or not?
I am a bit confused by the end bit...
excerpt:
"This code, was not prepared ahead of april fools day?
Bingo!
You know what else was not an april fools joke but looks like one?
[...]"
Very clever video
the original post was meant seriously, hence why liveOverflow was blocked, but the exploit shown came from malpractice from the guy that presented the exploit on the 0day site.
Why doesn't Michael Cera act in films? Passionate about hacking apps. Actually just found your channel, very cool content.
Watching this after movie Babylon so finally I get some drama genre 🙂
i really like how you've said in the beginning of the video "last time i sadly couldnt find a vulnerability. but this time i do a challenge so we can definitely find one!" and there's still not a real issue :D but still very informative bro! keep it up hacker boy! liebe grüße.
hätte gleich deutsch schreiben können merke ich gerade ahha
I know very little about security, stumbled across this randomly. But it seems strange to me that entering the password for a regular user is sufficient to install a root daemon. Shouldn't anything that runs as root require entering the root password?
I hope in the future you make more hardware hacking vids
i found you with the Minecraft stuff on your channel, is there any new minecraft stuff upcomming ?
Please make one amazing hacking video playlists ❤❤❤
I'm just a comment for the algorithm.
Ayi Sabashhh
The mic drop at 11:44 😂😂
You really look like Christopher Slater as Mr. Robot.
Great one!🤣
😂😂😂 Love youuu
lol @ broadcasthost, love that [3:44]
🤔 ive seen some apps that check at the start if they are run as root and then stop execution
that’s done by software which by design allows arbitrary code to be executed ( package managers, for example )
@@U20E0 I think they meant other way around. For example, when you install steam on linux, and try to run it as root, it will immediately exit with an error message like "It's not safe to run steam as root, don't do that"
@@hikkamorii yes, because steam also allows arbitrary code to be executed on your computer.
I am confusion
😂😂 great video as always
Tq
lol lol lol, loved it
Bingo!
its the best joke to know i laughed very hard in a while
it was nice Broooooo
Grifter gets called out: a video presentation
ngl he had us in the first 20 mins :D
so cool xD
Maybe I'm just stupid but why can the vpn install a certain part that runs with root privileges? You only entered your non root user password it seemed. Doesnt that mean we could just write our own installer that asks for user password but puts malicioua code under a root level part?
what you think is the "non root user password", gives the root permissions. Ever used Linux with sudo? When your user belongs to the sudo group you also enter YOUR user's password to execute a command as root.
You forgot the end cards :P
Push!
brilliant piece of media
I don't understand, are we expecting a sequel ?
the guy that posted the exploit used malpractice and ran the program as root to make it seem like he had a crazy exploit, but its just that: malpractice and a joke at best
this is hilarious
I just got a linkedin request from this guy??????? like, what?
i think it would be fine to call out the fact that this person is obv. attempting to bullshit others. its not a nice thing to do.
Within 1 hour gang!! So excited to see the video past 3:56!!
The twist. Lmao hahahaha
the hacker news bdarija
What is the name of this phenomenal 😅
It seems that on macOS, you don't need root to make a VPN (for example, tailscale doesn't include a root daemon)
but how does it do it exactly?
I'm thinking maybe there's a way for you to configure the USER SPECIFIC network settings, so no root access required.
@@okolol Maybe something like we have on Android or iOS where a VPN app would consist of a UI and a helper running as an unprivileged daemon, which I assume is able to interface with the operating system's network interface.
@@okololfrom what i understand (which is admittedly not much), you cant screw with other users' settings because there can be at most one concurrent login* so it's fine to let the app overwrite all the settings
* ssh isnt real!!! /s
@@TheDuckPox I'm sure while you don't need root access in android, you do need special permission to configure the user vpn settings. and yes, it's per user basis, I've tried it. but I don't know much about ios nor macos.
@@pitust yea, why would you modify other user settings though? you will only need to modify the current user settings, and if you want to make it system wide, then just use root.
Broo......App sec video or a Christopher Nolan movie ????
why tho
July Fools
Hey, i found the liveoverflow smp! And i made a mod for it!
was it a joke or not ?
"on mac like any other linux distro" man have you forgotten that modern macos is based on the xnu kernel?
It seems perfectly cromulent, I don't think any of us have figured out a way to pronounce '*nix' yet
@@khill8645 well the xnu kernel is basically the mach kernel from Carnegie Mellon university, a BSD subsystem and a lot of custom code added to o it, so it's not related to unix in the strictest sense, however that BSD part was made by actually replacing every source file from the og unix source code release with reimplementations made by the Berkeley University developers that originally made BSD, so it's a compatible program, but it's not actually unix and of course it's not really the base of the xnu kernel, but a subsystem that it's used to provvide an interface for programs to run on and to have compatibility with existing unix/bsd software. So xnu it's actually it's own very wired beast.
🤓
@@piecaruso97 It isn't about 'custom code' or whatever, it's just about POSIX compliance.
that was fully intentional
If comic sans made it to the front of goverment buildingfs and coins and stuff i bet your font can get far as well! haha and no nothing is worse then comic sans
After your video, he removes the post on linkedin lel
Android does it right, 3rd party VPN need no root.
Brain too small LMAO
This video isn’t funny the first time through. But it is the second time.
🤪
what
Morawiecki na miniaturce
YOU'RE HACKING HOSPITALS??
Jk
lol?
I don’t get the Joke
9:24 "how [] can look like" -> downvote
the software shouldnt allow the user to run it as root. making it a software issue not a user issue .
There isn't a vulnerability (that we know about) even if you install and run it as root. You would then need to be root to be able to rewrite the ASAR. "Elevating privileges" from root to root doesn't gain you anything.
I'm american, have never seen yyyy/dd/mm, we're notorious for going month then day.
Hi, please note that 0daydottoday is SCAM, please dont do advertisements for them cause naive ppl still get caught by their “5k for instagram takeover exploit”
what’s that?