← Advisories

SonicDICOM PACS 2.3.2 CSRF Add Admin Exploit

High
Advisory ID
ZSL-2017-5395
Release Date
11 February 2017
Vendor
JIUN Corporation - https://www.sonicdicom.com
Affected Version
2.3.2 and 2.3.1
CVE
N/A
Tested On
Microsoft-HTTPAPI/2.0
Summary

SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept
sonicdicom_csrf.txtTXT
Disclosure Timeline
22.11.2016Vulnerability discovered.
28.11.2016Vendor contacted.
29.11.2016Vendor responds asking more details.
29.11.2016Sent details to the vendor.
30.11.2016Vendor replies.
04.12.2016Asked vendor for status update.
06.12.2016Vendor is checking the issues.
14.12.2016Asked vendor for confirmation of the issues.
14.12.2016Meanwhile, vendor releases version 2.3.2 which fixes a bug in DICOM comm.
15.12.2016Vendor confirms the issues, scheduling patch in April 2017.
26.01.2017Asked vendor for status update.
27.01.2017Vendor replies.
11.02.2017Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/41310/
[2]https://cxsecurity.com/issue/WLB-2017020110
[3]https://packetstormsecurity.com/files/141051
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/121961
Changelog
11.02.2017Initial release
18.02.2017Added reference [1], [2], [3] and [4]