DCMTK

When storescp is executed with the --exec-on-reception or --exec-on-eostudy option, a command line can be specified that will be executed after the receipt of an image, or the receipt of an entire study, respectively.
The command line can contain certain placeholders, such as #f for the filename of the DICOM file, #a for the calling aetitle, or #c for the called aetitle.
The code that copies the application entity titles into the command line is not protected against shell escape characters. This can be abused by a malicious attacker to pass a short command (less than 16 characters) in the aetitle that will be executed by storescp.
The issue can be demonstrated by running (in two different shells):

storescp --exec-on-reception "echo '#c'" 10004
storescu localhost 10004 testfile.dcm --call "';touch TEST'" 

This will cause a file named TEST" to be created in the directory where storescp is executed.

Note: This vulnerability is only present when storescp is executed with the --exec-on-reception or --exec-on-eostudy option, and the command line passed to this option contains the '#a' or '#c' placeholder.

Reported 2024-02-14 by Phileas Lebada <phileas@contextflow.com>.