Local Root Exploit in HospitalRun Software
3,382Let's talk about a "security flaw in hospital software that allows full access to medical devices". This issue was disclosed on LinkedIn and included a full exploit code. Let's use this app as an example on how to find a macOS privilege escalation and learn how local root exploits can work.
Print BINGO sheet: https://twitter.com/liveoverflow/status/1682650394227351552
Sources:
Original LinkedIn Post: https://web.archive.org/web/20230424004137/https://www.linkedin.com/posts/jeanpereira00_sicherheitsl%C3%BCcke-in-krankenhaus-software-activity-7055185115584303104-2eZr
The Exploit code: https://0day.today/exploit/38531
"The project has been deprecated for 2 years. Version 1.0.0-beta has been an EOL for at least 5 years" - developer statement: https://twitter.com/tehkapa/status/1650059269939552256
My references finding priv esc issues in macOS apps:
https://github.com/cure53/Publications/blob/master/summary-report_tunnelbear.pdf
https://github.com/cure53/Publications/blob/master/summary-report_tunnelbear_2018.pdf
https://github.com/cure53/Publications/blob/master/summary-report_tunnelbear_2019.pdf
https://github.com/cure53/Publications/blob/master/pentest-report_IVPN.pdf
Help me pay for any legal trouble in case somebody wants to sue me (advertisement): https://shop.liveoverflow.com/
Chapters:
00:00 - Intro: Practice Research with Existing Issues
01:45 - HospitalRun Functionality
03:07 - What is a Local Root Exploit?
05:49 - Typical macOS Priviledge Escalation Issues
09:23 - Looking for Priviledged Helper in HospitalRun
10:10 - My Experience in finding Local Root Exploits on macOS
11:46 - Threat Modeling and Common Deployments
13:11 - Was this an April Fools Joke?
14:18 - Analysing and Cleaning Up The Exploit Code
17:51 - Reading Comments on LinkedIn
19:29 - BINGO!
=[ ❤️ Support ]=
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
2nd Channel: https://www.youtube.com/LiveUnderflow
=[ 🐕 Social ]=
→ Twitter: https://twitter.com/LiveOverflow/
→ Streaming: https://twitch.tvLiveOverflow/
→ TikTok: https://www.tiktok.com/@liveoverflow_
→ Instagram: https://instagram.com/LiveOverflow/
→ Blog: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
Other Videos By LiveOverflow
| 2024-08-20 | My Trip to DEF CON & Black Hat |
| 2024-01-22 | Finding The .webp Vulnerability in 8s (Fuzzing with AFL++) |
| 2023-12-21 | A Vulnerability to Hack The World - CVE-2023-4863 |
| 2023-11-20 | Reinventing Web Security |
| 2023-10-17 | The Circle of Unfixable Security Issues |
| 2023-10-05 | Binary Exploitation vs. Web Security |
| 2023-09-19 | Hacker Tweets Explained |
| 2023-08-29 | Zenbleed (CVE-2023-20593) |
| 2023-08-18 | The Discovery of Zenbleed ft. Tavis Ormandy |
| 2023-08-01 | Asking Android Developers About Security at Droidcon Berlin |
| 2023-07-22 | Local Root Exploit in HospitalRun Software |
| 2023-07-13 | Android App Bug Bounty Secrets |
| 2023-07-03 | Generic HTML Sanitizer Bypass Investigation |
| 2023-06-22 | Hacking Google Cloud? |
| 2023-06-11 | Trying to Find a Bug in WordPress |
| 2023-05-31 | Authentication Bypass Using Root Array |
| 2023-05-22 | My YouTube Financials - The Future of LiveOverflow |
| 2023-05-11 | Defending LLM - Prompt Injection |
| 2023-04-27 | Accidental LLM Backdoor - Prompt Tricks |
| 2023-04-14 | Attacking LLM - Prompt Injection |
| 2023-04-01 | Our Future As Hackers Is At Stake! |