ConQuest DICOM Server 1.4.17d Remote Stack Buffer Overflow RCE

2016-12-16T00:00:00
ID ZSL-2016-5383
Type zeroscience
Reporter Gjoko Krstic
Modified 2016-12-16T00:00:00

Description

Title: ConQuest DICOM Server 1.4.17d Remote Stack Buffer Overflow RCE
Advisory ID: ZSL-2016-5383
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 16.12.2016

Summary

A full featured DICOM server has been developed based on the public domain UCDMC DICOM code. Some possible applications of the Conquest DICOM software are: DICOM training and testing; Demonstration image archives; Image format conversion from a scanner with DICOM network access; DICOM image slide making; DICOM image selection and (limited) editing; Automatic image forwarding and (de)compression.

Description

The vulnerability is caused due to the usage of vulnerable collection of libraries that are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL. Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can overflow the stack and the heap of the process when sending large array of bytes to the presentation context item length segment of the DICOM standard, potentially resulting in remote code execution and/or denial of service scenario.

--------------------------------------------------------------------------------

0:002> g (820.fc4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\Users\lqwrm\Downloads\dicomserver1419beta3b\dgate64.exe *** ERROR: Module load completed but symbols could not be loaded for C:\Users\lqwrm\Downloads\dicomserver1419beta3b\dgate64.exe dgate64+0xb9a29: 000000013fe09a29 488b5108 mov rdx,qword ptr [rcx+8] ds:424242424242424a=???????????????? 0:002> r rax=0000000044444444 rbx=000000000298c910 rcx=4242424242424242 rdx=000001400046001a rsi=0000000000001105 rdi=000000000041dc50 rip=000000013fe09a29 rsp=000000000298b840 rbp=000000000298e8e4 r8=000000000041dc40 r9=0000000000000402 r10=0000000000000281 r11=0000013f004a0019 r12=0000000000003eb7 r13=0000000000000000 r14=0000000000000000 r15=000000000298c910 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 dgate64+0xb9a29: 000000013fe09a29 488b5108 mov rdx,qword ptr [rcx+8] ds:424242424242424a=???????????????? 0:002> u dgate64+0xb9a29: 000000013fe09a29 488b5108 mov rdx,qword ptr [rcx+8]
000000013fe09a2d 488b4110 mov rax,qword ptr [rcx+10h] 000000013fe09a31 4885d2 test rdx,rdx
000000013fe09a34 7406 je dgate64+0xb9a3c (000000013fe09a3c)
000000013fe09a36 48894210 mov qword ptr [rdx+10h],rax 000000013fe09a3a eb04 jmp dgate64+0xb9a40 (000000013fe09a40) 000000013fe09a3c 48894328 mov qword ptr [rbx+28h],rax
000000013fe09a40 488b5110 mov rdx,qword ptr [rcx+10h] 0:002> dgate64+0xb9a44: 000000013fe09a44 488b4108 mov rax,qword ptr [rcx+8]
000000013fe09a48 4885d2 test rdx,rdx 000000013fe09a4b 7406 je dgate64+0xb9a53 (000000013fe09a53) 000000013fe09a4d 48894208 mov qword ptr [rdx+8],rax
000000013fe09a51 eb04 jmp dgate64+0xb9a57 (000000013fe09a57)
000000013fe09a53 48894330 mov qword ptr [rbx+30h],rax 000000013fe09a57 ba18000000 mov edx,18h
000000013fe09a5c e804caf4ff call dgate64+0x6465 (000000013fd56465)
0:002> kb e

RetAddr : Args to Child : Call Site

00 000000013fe104d2 : 0000000000457a28 0000000000008014 000000000298b8d9 0000000000000000 : dgate64+0xb9a29 01 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : dgate64+0xc04d2
02 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
03 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
04 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
05 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
06 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
07 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
08 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
09 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
0a 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
0b 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
0c 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
0d 4141414141414141 : 4141414141414141 4141414141414141 4141414141414141 4141414141414141 : 0x4141414141414141
0:002> !exchain
100 stack frames, scanning for handlers...
Frame 0x01: dgate64+0xc04d2 (000000013fe104d2) ehandler dgate64+0x552e (000000013fd5552e)
Frame 0x02: error getting module for 4141414141414141
Frame 0x03: error getting module for 4141414141414141
Frame 0x04: error getting module for 4141414141414141
Frame 0x05: error getting module for 4141414141414141
Frame 0x06: error getting module for 4141414141414141
Frame 0x07: error getting module for 4141414141414141
Frame 0x08: error getting module for 4141414141414141
Frame 0x09: error getting module for 4141414141414141
Frame 0x0a: error getting module for 4141414141414141
Frame 0x0b: error getting module for 4141414141414141
Frame 0x0c: error getting module for 4141414141414141
Frame 0x0d: error getting module for 4141414141414141
Frame 0x0e: error getting module for 4141414141414141
Frame 0x0f: error getting module for 4141414141414141
Frame 0x10: error getting module for 4141414141414141
Frame 0x11: error getting module for 4141414141414141
Frame 0x12: error getting module for 4141414141414141
Frame 0x13: error getting module for 4141414141414141
Frame 0x14: error getting module for 4141414141414141
Frame 0x15: error getting module for 4141414141414141
Frame 0x16: error getting module for 4141414141414141
...
...
Frame 0x61: error getting module for 4141414141414141
Frame 0x62: error getting module for 4141414141414141
Frame 0x63: error getting module for 4141414141414141
0:002> g

STATUS_STACK_BUFFER_OVERRUN encountered
(820.fc4): Break instruction exception - code 80000003 (first chance)
kernel32!UnhandledExceptionFilter+0x71:
000000007796bb21 cc int 3 0:002> g ntdll!ZwWaitForSingleObject+0xa: 0000000077a3bb7a c3 ret
`
--------------------------------------------------------------------------------

Vendor

University of Manchester. Developed by Marcel van Herk, Lambert Zijp and Jan Meinders. The Netherlands Cancer Institute - <https://ingenium.home.xs4all.nl/dicom.html>

Affected Version

1.4.17d
1.4.19beta3a
1.4.19beta3b

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Linux Ubuntu 14.04.5
Solaris 10
macOS/10.12.2

Vendor Status

N/A

PoC

conquest_bof.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/40927/>
[2] <https://packetstormsecurity.com/files/140190>
[3] <https://cxsecurity.com/issue/WLB-2016120095>
[4] <http://www.vfocus.net/art/20161219/13213.html>
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/119843>

Changelog

[16.12.2016] - Initial release
[20.12.2016] - Added reference [1], [2], [3] and [4]
[24.12.2016] - Added reference [5]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;