← Advisories

SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit

High

Advisory ID

ZSL-2017-5396

Release Date

11 February 2017

Vendor

JIUN Corporation - https://www.sonicdicom.com

Affected Version

2.3.2 and 2.3.1

CVE

N/A

Tested On

Microsoft-HTTPAPI/2.0

Summary

SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer.

Description

The application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by sending a HTTP PATCH request seting the parameter 'Authority' to integer value '1' gaining admin rights.

Proof of Concept

sonicdicom_eop.txtTXT

Disclosure Timeline

22.11.2016Vulnerability discovered.

28.11.2016Vendor contacted.

29.11.2016Vendor responds asking more details.

29.11.2016Sent details to the vendor.

30.11.2016Vendor replies.

04.12.2016Asked vendor for status update.

06.12.2016Vendor is checking the issues.

14.12.2016Asked vendor for confirmation of the issues.

14.12.2016Meanwhile, vendor releases version 2.3.2 which fixes a bug in DICOM comm.

15.12.2016Vendor confirms the issues, scheduling patch in April 2017.

26.01.2017Asked vendor for status update.

27.01.2017Vendor replies.

11.02.2017Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/41311/

[2]https://cxsecurity.com/issue/WLB-2017020109

[3]https://packetstormsecurity.com/files/141052

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/121963

Changelog

11.02.2017Initial release

18.02.2017Added reference [1], [2], [3] and [4]