NovaRad NovaPACS Diagnostics Viewer v8.5 OOB XXE File Disclosure

Title: NovaRad NovaPACS Diagnostics Viewer v8.5 OOB XXE File Disclosure
Advisory ID: ZSL-2018-5488
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (4/5)
Release Date: 05.09.2018
Summary
NovaPACS revolutionary workflow infrastructure has been designed and developed using the expertise of radiology directors, technicians, PACS administrators for over 20 years. This wealth of imaging experience has lead to over 850 installations in more than 15 countries as well as key partnerships throughout the imaging industry. Built as a completely scalable solution, NovaPACS can be used in imaging centers, or in a hospital environment as a part of a complete enterprise imaging strategy. Our feature-rich PACS system is entirely customizable. This allows optimization of each user’s profile based on their unique needs and demands which, improves both speed and efficiency. The NovaPACS user interface can display reports, priors and patient histories right alongside the most current study.
Description
NovaPACS suffers from an unauthenticated XML External Entity (XXE) injection vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data from the affected node via out-of-band (OOB) channel attack. The vulnerability is triggered when importing XML format preferences within the settings submenu.
Vendor
NovaRad Corporation - http://www.novarad.net
Affected Version
8.5.19.75 (Diagnostics Viewer, Study Browser)
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
[28.08.2018] Vulnerability discovered.
[28.08.2018] Vendor contacted.
[02.09.2018] No response from the vendor.
[03.09.2018] Vendor contacted.
[04.09.2018] No response from the vendor.
[05.09.2018] Public security advisory released.
PoC
novapacs_xxe.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://exchange.xforce.ibmcloud.com/vulnerabilities/149487
[2] https://packetstormsecurity.com/files/149245
[3] https://cxsecurity.com/issue/WLB-2018090058
[4] https://www.exploit-db.com/exploits/45337/
Changelog
[05.09.2018] - Initial release
[07.09.2018] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk