SonicDICOM PACS 2.3.2 CSRF Add Admin Exploit
Title: SonicDICOM PACS 2.3.2 CSRF Add Admin Exploit
Advisory ID: ZSL-2017-5395
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 11.02.2017
[28.11.2016] Vendor contacted.
[29.11.2016] Vendor responds asking more details.
[29.11.2016] Sent details to the vendor.
[30.11.2016] Vendor replies.
[04.12.2016] Asked vendor for status update.
[06.12.2016] Vendor is checking the issues.
[14.12.2016] Asked vendor for confirmation of the issues.
[14.12.2016] Meanwhile, vendor releases version 2.3.2 which fixes a bug in DICOM comm.
[15.12.2016] Vendor confirms the issues, scheduling patch in April 2017.
[26.01.2017] Asked vendor for status update.
[27.01.2017] Vendor replies.
[11.02.2017] Public security advisory released.
[2] https://cxsecurity.com/issue/WLB-2017020110
[3] https://packetstormsecurity.com/files/141051
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/121961
[18.02.2017] - Added reference [1], [2], [3] and [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2017-5395
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 11.02.2017
Summary
SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer.Description
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.Vendor
JIUN Corporation - https://www.sonicdicom.comAffected Version
2.3.2 and 2.3.1Tested On
Microsoft-HTTPAPI/2.0Vendor Status
[22.11.2016] Vulnerability discovered.[28.11.2016] Vendor contacted.
[29.11.2016] Vendor responds asking more details.
[29.11.2016] Sent details to the vendor.
[30.11.2016] Vendor replies.
[04.12.2016] Asked vendor for status update.
[06.12.2016] Vendor is checking the issues.
[14.12.2016] Asked vendor for confirmation of the issues.
[14.12.2016] Meanwhile, vendor releases version 2.3.2 which fixes a bug in DICOM comm.
[15.12.2016] Vendor confirms the issues, scheduling patch in April 2017.
[26.01.2017] Asked vendor for status update.
[27.01.2017] Vendor replies.
[11.02.2017] Public security advisory released.
PoC
sonicdicom_csrf.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.exploit-db.com/exploits/41310/[2] https://cxsecurity.com/issue/WLB-2017020110
[3] https://packetstormsecurity.com/files/141051
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/121961
Changelog
[11.02.2017] - Initial release[18.02.2017] - Added reference [1], [2], [3] and [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
