Title: OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption Vulnerability
Advisory ID: ZSL-2016-5382
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 16.12.2016

Summary

With high performance and an intuitive interactive user interface, OsiriX MD is the most widely used DICOM viewer in the world. It is the result of more than 10 years of research and development in digital imaging. It fully supports the DICOM standard for an easy integration in your workflow environment and an open platform for development of processing tools. It offers advanced post-processing techniques in 2D and 3D, exclusive innovative technique for 3D and 4D navigation and a complete integration with any PACS. OsiriX MD supports 64-bit computing and multithreading for the best performances on the most modern processors. OsiriX MD is certified for medical use, FDA cleared and CE II labeled.

OsiriX is an image processing application for Mac dedicated to DICOM images (".dcm" / ".DCM" extension) produced by equipment (MRI, CT, PET, PET-CT, ...). Osirix is complementary to existing viewers, in particular to nuclear medicine viewers.

Description

The vulnerability is caused due to the usage of vulnerable collection of libraries that are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL. Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can overflow the stack and the heap of the process when sending large array of bytes to the presentation context item length segment of the DICOM standard, potentially resulting in remote code execution and/or denial of service scenario.

--------------------------------------------------------------------------------

(lldb)
Process 65202 stopped
* thread #20: tid = 0x2c5fcc, 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fb5af00fda1)
frame #0: 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833
OsiriX Lite`parseAssociate:
-> 0x108978441 <+833>: movzbl (%r10), %eax
0x108978445 <+837>: cmpl $0x40, %eax
0x108978448 <+840>: movq -0x200(%rbp), %rcx
0x10897844f <+847>: je 0x108978513 ; <+1043>
(lldb) bt
* thread #19: tid = 0x2f6189, 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fab8ac000a1)
* frame #0: 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833
frame #1: 0x0000000102fe4363 OsiriX Lite`AE_6_ExamineAssociateRequest(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, void*) + 339
frame #2: 0x0000000102fe14ca OsiriX Lite`PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) + 314
frame #3: 0x0000000102fdae9c OsiriX Lite`DUL_ReceiveAssociationRQ(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) + 4348
frame #4: 0x0000000102facf1e OsiriX Lite`ASC_receiveAssociation(T_ASC_Network*, T_ASC_Association**, long, void**, unsigned int*, bool, DUL_BLOCKOPTIONS, int) + 462
frame #5: 0x0000000102c5f28f OsiriX Lite`DcmQueryRetrieveSCP::waitForAssociation(T_ASC_Network*) + 207
frame #6: 0x0000000102c3f9c7 OsiriX Lite`-[DCMTKQueryRetrieveSCP run] + 4999
frame #7: 0x0000000102987a37 OsiriX Lite`-[AppController startSTORESCP:] + 519
frame #8: 0x00007fff975b030d Foundation`__NSThread__start__ + 1243
frame #9: 0x00007fffab021aab libsystem_pthread.dylib`_pthread_body + 180
frame #10: 0x00007fffab0219f7 libsystem_pthread.dylib`_pthread_start + 286
frame #11: 0x00007fffab021221 libsystem_pthread.dylib`thread_start + 13
(lldb) register read
General Purpose Registers:
rax = 0x0000000000000103
rbx = 0x00000001044c18d8 OsiriX Lite`ECC_Normal
rcx = 0x00006100002e6200
rdx = 0x000000000001ad41
rdi = 0x00000001044c18d8 OsiriX Lite`ECC_Normal
rsi = 0x00006100002e6200
rbp = 0x0000700005a4a670
rsp = 0x0000700005a4a420
r8 = 0x0000000000000103
r9 = 0x00000000fb40cfc6
r10 = 0x00007fab8ac000a1
r11 = 0x0000000000000041
r12 = 0x0000700005a4a6b8
r13 = 0x00000001044c18f0 OsiriX Lite`EC_Normal
r14 = 0x00000001044c18d8 OsiriX Lite`ECC_Normal
r15 = 0x0000000000008014
rip = 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833
rflags = 0x0000000000010286
cs = 0x000000000000002b
fs = 0x0000000000000000
gs = 0x0000000000000000

--------------------------------------------------------------------------------

Vendor

Pixmeo Sarl - http://www.osirix-viewer.com

Affected Version

OsiriX 8.0.1

Tested On

OS X 10.12.2 (Sierra)
OS X 10.12.1 (Sierra)

Vendor Status

[29.11.2016] Vulnerability discovered.
[30.11.2016] Vendor contacted.
[30.11.2016] Vendor responds asking more details.
[02.12.2016] Sent details to the vendor.
[02.12.2016] Vendor states that the issue is in the DCMTK library which they didn’t develop and thus will not try to reproduce or fix this vulnerability.
[16.12.2016] Public security advisory released.

PoC

osirix_bof.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://tools.ietf.org/html/rfc3240
[2] https://github.com/commontk/DCMTK/commit/1b6bb76
[3] https://www.exploit-db.com/exploits/40926/
[4] https://cxsecurity.com/issue/WLB-2016120096
[5] https://packetstormsecurity.com/files/140189
[6] http://www.vfocus.net/art/20161219/13212.html

Changelog

[16.12.2016] - Initial release
[20.12.2016] - Added reference [3], [4], [5] and [6]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk