SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit
Title: SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit
Advisory ID: ZSL-2017-5396
Type: Local/Remote
Impact: Privilege Escalation, Cross-Site Scripting
Risk: (4/5)
Release Date: 11.02.2017
[28.11.2016] Vendor contacted.
[29.11.2016] Vendor responds asking more details.
[29.11.2016] Sent details to the vendor.
[30.11.2016] Vendor replies.
[04.12.2016] Asked vendor for status update.
[06.12.2016] Vendor is checking the issues.
[14.12.2016] Asked vendor for confirmation of the issues.
[14.12.2016] Meanwhile, vendor releases version 2.3.2 which fixes a bug in DICOM comm.
[15.12.2016] Vendor confirms the issues, scheduling patch in April 2017.
[26.01.2017] Asked vendor for status update.
[27.01.2017] Vendor replies.
[11.02.2017] Public security advisory released.
[2] https://cxsecurity.com/issue/WLB-2017020109
[3] https://packetstormsecurity.com/files/141052
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/121963
[18.02.2017] - Added reference [1], [2], [3] and [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2017-5396
Type: Local/Remote
Impact: Privilege Escalation, Cross-Site Scripting
Risk: (4/5)
Release Date: 11.02.2017
Summary
SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer.Description
The application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by sending a HTTP PATCH request seting the parameter 'Authority' to integer value '1' gaining admin rights.Vendor
JIUN Corporation - https://www.sonicdicom.comAffected Version
2.3.2 and 2.3.1Tested On
Microsoft-HTTPAPI/2.0Vendor Status
[22.11.2016] Vulnerability discovered.[28.11.2016] Vendor contacted.
[29.11.2016] Vendor responds asking more details.
[29.11.2016] Sent details to the vendor.
[30.11.2016] Vendor replies.
[04.12.2016] Asked vendor for status update.
[06.12.2016] Vendor is checking the issues.
[14.12.2016] Asked vendor for confirmation of the issues.
[14.12.2016] Meanwhile, vendor releases version 2.3.2 which fixes a bug in DICOM comm.
[15.12.2016] Vendor confirms the issues, scheduling patch in April 2017.
[26.01.2017] Asked vendor for status update.
[27.01.2017] Vendor replies.
[11.02.2017] Public security advisory released.
PoC
sonicdicom_eop.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.exploit-db.com/exploits/41311/[2] https://cxsecurity.com/issue/WLB-2017020109
[3] https://packetstormsecurity.com/files/141052
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/121963
Changelog
[11.02.2017] - Initial release[18.02.2017] - Added reference [1], [2], [3] and [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
