Exploiting Healthcare Servers with Polyglot Files [CVE-2023-33466]

We discussed this vulnerability during Episode 221 on 06 November 2023

The authors here focus on crafting the exploit for an already discovered vulnerability in Orthanc’s DICOM server. The vulnerability is a natural consequence of two features:

  1. Import of DICOM files.
  2. Exporting of DICOM files to arbitrary locations on the filesystem including overwriting existing files.

As importing does try to parse the DICOM file, it does need to be valid file which is the semi-controlled aspect of this attack. Fortunately for the researchers in this case the DICOM file specification starts with a 128-byte chunk of unspecified data meant to be used by other applications to attack application specific data to the DICOM file. After that chunk then you get the usual magic bytes DICM that can be matched to determine the file type and a more structured file format.

The authors were able to use that 128 byte section to craft a valid configuration file inside those 128 bytes, ending with a null-byte so the C++ JSON library in use would stop processing and ignore the rest of the DICOM file. And then use a /reset endpoint to restart the server and reload the configuration. This crafted configuration file would enable a normally disabled endpoint that would accept arbitrary Lua script to be executed.

While this vulnerability was in authenticated endpoints, they point out that there are instances running and exposed to the internet with default credentials.