SonicDICOM PACS 2.3.2 CSRF Add Admin Exploit

Title: SonicDICOM PACS 2.3.2 CSRF Add Admin Exploit
Advisory ID: ZSL-2017-5395
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 11.02.2017
Summary
SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer.
Description
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
Vendor
JIUN Corporation - https://www.sonicdicom.com
Affected Version
2.3.2 and 2.3.1
Tested On
Microsoft-HTTPAPI/2.0
Vendor Status
[22.11.2016] Vulnerability discovered.
[28.11.2016] Vendor contacted.
[29.11.2016] Vendor responds asking more details.
[29.11.2016] Sent details to the vendor.
[30.11.2016] Vendor replies.
[04.12.2016] Asked vendor for status update.
[06.12.2016] Vendor is checking the issues.
[14.12.2016] Asked vendor for confirmation of the issues.
[14.12.2016] Meanwhile, vendor releases version 2.3.2 which fixes a bug in DICOM comm.
[15.12.2016] Vendor confirms the issues, scheduling patch in April 2017.
[26.01.2017] Asked vendor for status update.
[27.01.2017] Vendor replies.
[11.02.2017] Public security advisory released.
PoC
sonicdicom_csrf.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/41310/
[2] https://cxsecurity.com/issue/WLB-2017020110
[3] https://packetstormsecurity.com/files/141051
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/121961
Changelog
[11.02.2017] - Initial release
[18.02.2017] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk