DCMTK

Several DCMTK tools use attributes of messages or datasets received over the network to generate a filename. For example, storescp by default generates a filename consisting of a few letters representing the modality, such as "CT", followed by a period "." and the SOP Instance UID. The problem is that the SOP Instance UID is not checked for validity, so an attacker can embed arbitrary characters here, in particular something like "/../../../etc/passwd", which under certain conditions can cause a file to be written to a different directory than the working directory of storescp, with the access rights of the user executing storescp ("path traversal"). The file written is still a DICOM file, but there are file formats such as PHP that ignore arbitrary leading bytes and still find and execute content that might be embedded in a DICOM text attribute if, for example a PHP script of a web server running on the same machine is overwritten.

• Affected DCMTK tools are: storescp, movescu, getscu, dcmrecv.
• Affected private modules are: dcmppscu, dcmpps, dcmppsmg, stcomscu and dcmprscp.

Thanks to Sharon Brizinov <sharon.b@claroty.com> and Noam Moshe for the bug report and sample file and scripts.