Horos 2.1.0 DICOM Medical Image Viewer Remote Memory Overflow Vulnerability

2016-12-16T00:00:00
ID ZSL-2016-5386
Type zeroscience
Reporter Gjoko Krstic
Modified 2016-12-16T00:00:00

Description

Title: Horos 2.1.0 DICOM Medical Image Viewer Remote Memory Overflow Vulnerability
Advisory ID: ZSL-2016-5386
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 16.12.2016

Summary

Horos™ is an open-source, free medical image viewer. The goal of the Horos Project is to develop a fully functional, 64-bit medical image viewer for OS X. Horos is based upon OsiriX and other open source medical imaging libraries.

Description

The vulnerability is caused due to the usage of vulnerable collection of libraries that are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL. Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can overflow the stack and the heap of the process when sending large array of bytes to the presentation context item length segment of the DICOM standard, potentially resulting in remote code execution and/or denial of service scenario.

Vendor

Horos Project - <https://www.horosproject.org>

Affected Version

2.1.0

Tested On

macOS 12.10.2 (Sierra)
macOS 12.10.1 (Sierra)

Vendor Status

[15.12.2016] Vendor informed.

PoC

horos_bof.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/40929/>
[2] <https://packetstormsecurity.com/files/140193>
[3] <https://cxsecurity.com/issue/WLB-2016120104>
[4] <http://www.vfocus.net/art/20161219/13215.html>
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/119842>

Changelog

[16.12.2016] - Initial release
[20.12.2016] - Added reference [1], [2], [3] and [4]
[24.12.2016] - Added reference [5]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;