SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit

2017-02-11T00:00:00
ID ZSL-2017-5396
Type zeroscience
Reporter Gjoko Krstic
Modified 2017-02-11T00:00:00

Description

Title: SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit
Advisory ID: ZSL-2017-5396
Type: Local/Remote
Impact: Privilege Escalation, Cross-Site Scripting
Risk: (4/5)
Release Date: 11.02.2017

Summary

SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer.

Description

The application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by sending a HTTP PATCH request seting the parameter 'Authority' to integer value '1' gaining admin rights.

Vendor

JIUN Corporation - <https://www.sonicdicom.com>

Affected Version

2.3.2 and 2.3.1

Tested On

Microsoft-HTTPAPI/2.0

Vendor Status

[22.11.2016] Vulnerability discovered.
[28.11.2016] Vendor contacted.
[29.11.2016] Vendor responds asking more details.
[29.11.2016] Sent details to the vendor.
[30.11.2016] Vendor replies.
[04.12.2016] Asked vendor for status update.
[06.12.2016] Vendor is checking the issues.
[14.12.2016] Asked vendor for confirmation of the issues.
[14.12.2016] Meanwhile, vendor releases version 2.3.2 which fixes a bug in DICOM comm.
[15.12.2016] Vendor confirms the issues, scheduling patch in April 2017.
[26.01.2017] Asked vendor for status update.
[27.01.2017] Vendor replies.
[11.02.2017] Public security advisory released.

PoC

sonicdicom_eop.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/41311/>
[2] <https://cxsecurity.com/issue/WLB-2017020109>
[3] <https://packetstormsecurity.com/files/141052>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/121963>

Changelog

[11.02.2017] - Initial release
[18.02.2017] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;