← Advisories

OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption Vulnerability

High

Advisory ID

ZSL-2016-5382

Release Date

16 December 2016

Vendor

Pixmeo Sarl - http://www.osirix-viewer.com

Affected Version

OsiriX 8.0.1

CVE

N/A

Tested On

OS X 10.12.2 (Sierra), OS X 10.12.1 (Sierra)

Summary

With high performance and an intuitive interactive user interface, OsiriX MD is the most widely used DICOM viewer in the world. It is the result of more than 10 years of research and development in digital imaging. It fully supports the DICOM standard for an easy integration in your workflow environment and an open platform for development of processing tools. It offers advanced post-processing techniques in 2D and 3D, exclusive innovative technique for 3D and 4D navigation and a complete integration with any PACS. OsiriX MD supports 64-bit computing and multithreading for the best performances on the most modern processors. OsiriX MD is certified for medical use, FDA cleared and CE II labeled.

OsiriX is an image processing application for Mac dedicated to DICOM images (".dcm" / ".DCM" extension) produced by equipment (MRI, CT, PET, PET-CT, ...). Osirix is complementary to existing viewers, in particular to nuclear medicine viewers.

Description

The vulnerability is caused due to the usage of vulnerable collection of libraries that are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL. Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can overflow the stack and the heap of the process when sending large array of bytes to the presentation context item length segment of the DICOM standard, potentially resulting in remote code execution and/or denial of service scenario.

 (lldb)
 Process 65202 stopped
 * thread #20: tid = 0x2c5fcc, 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fb5af00fda1)
     frame #0: 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833
 OsiriX Lite`parseAssociate:
 ->  0x108978441 <+833>: movzbl (%r10), %eax
     0x108978445 <+837>: cmpl   $0x40, %eax
     0x108978448 <+840>: movq   -0x200(%rbp), %rcx
     0x10897844f <+847>: je     0x108978513               ; <+1043>
 (lldb) bt
 * thread #19: tid = 0x2f6189, 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fab8ac000a1)
   * frame #0: 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833
     frame #1: 0x0000000102fe4363 OsiriX Lite`AE_6_ExamineAssociateRequest(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, void*) + 339
     frame #2: 0x0000000102fe14ca OsiriX Lite`PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) + 314
     frame #3: 0x0000000102fdae9c OsiriX Lite`DUL_ReceiveAssociationRQ(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) + 4348
     frame #4: 0x0000000102facf1e OsiriX Lite`ASC_receiveAssociation(T_ASC_Network*, T_ASC_Association**, long, void**, unsigned int*, bool, DUL_BLOCKOPTIONS, int) + 462
     frame #5: 0x0000000102c5f28f OsiriX Lite`DcmQueryRetrieveSCP::waitForAssociation(T_ASC_Network*) + 207
     frame #6: 0x0000000102c3f9c7 OsiriX Lite`-[DCMTKQueryRetrieveSCP run] + 4999
     frame #7: 0x0000000102987a37 OsiriX Lite`-[AppController startSTORESCP:] + 519
     frame #8: 0x00007fff975b030d Foundation`__NSThread__start__ + 1243
     frame #9: 0x00007fffab021aab libsystem_pthread.dylib`_pthread_body + 180
     frame #10: 0x00007fffab0219f7 libsystem_pthread.dylib`_pthread_start + 286
     frame #11: 0x00007fffab021221 libsystem_pthread.dylib`thread_start + 13
 (lldb) register read
 General Purpose Registers:
        rax = 0x0000000000000103
        rbx = 0x00000001044c18d8  OsiriX Lite`ECC_Normal
        rcx = 0x00006100002e6200
        rdx = 0x000000000001ad41
        rdi = 0x00000001044c18d8  OsiriX Lite`ECC_Normal
        rsi = 0x00006100002e6200
        rbp = 0x0000700005a4a670
        rsp = 0x0000700005a4a420
         r8 = 0x0000000000000103
         r9 = 0x00000000fb40cfc6
        r10 = 0x00007fab8ac000a1
        r11 = 0x0000000000000041
        r12 = 0x0000700005a4a6b8
        r13 = 0x00000001044c18f0  OsiriX Lite`EC_Normal
        r14 = 0x00000001044c18d8  OsiriX Lite`ECC_Normal
        r15 = 0x0000000000008014
        rip = 0x0000000102fe8441  OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833
     rflags = 0x0000000000010286
         cs = 0x000000000000002b
         fs = 0x0000000000000000
         gs = 0x0000000000000000

Proof of Concept

osirix_bof.pyTXT

Disclosure Timeline

29.11.2016Vulnerability discovered.

30.11.2016Vendor contacted.

30.11.2016Vendor responds asking more details.

02.12.2016Sent details to the vendor.

02.12.2016Vendor states that the issue is in the DCMTK library which they didn’t develop and thus will not try to reproduce or fix this vulnerability.

16.12.2016Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://tools.ietf.org/html/rfc3240

[2]https://github.com/commontk/DCMTK/commit/1b6bb76

[3]https://www.exploit-db.com/exploits/40926/

[4]https://cxsecurity.com/issue/WLB-2016120096

[5]https://packetstormsecurity.com/files/140189

[6]http://www.vfocus.net/art/20161219/13212.html

Changelog

16.12.2016Initial release

20.12.2016Added reference [3], [4], [5] and [6]