Bug #1194
closed
OS command injection vulnerability in storescp --exec-on-reception
Added by Marco Eichelberg about 1 month ago.
Updated 20 days ago.
Description
Three placeholder tokens used in the shell command execution feature (#f , #p , #r) are derived from attacker-controlled input with insufficient or no sanitization. An unauthenticated attacker can achieve remote code execution by sending a single crafted DICOM C-STORE request to a storescp instance configured with --exec-on-reception.
The vulnerability exists because shell metacharacters in attacker-controlled DICOM fields are not sanitized before being passed to /bin/sh -c . The DCMTK team partially addressed this class of issue in February 2024 (DCMTK issue #1109) by adding allowlist sanitization for AE title placeholders (#a , #c), but the same fix was not applied to the filename (#f), path (#p), or reverse DNS (#r) placeholders.
Reported 2026-02-21 by Machine Spirits UG (haftungsbeschränkt), contact@machinespirits.de
This vulnerability only affects the
storescp command line tool, not the underlying libraries. The vulnerability is only present when
storescp is executed with either the
--exec-on-reception (short form:
-xcr) or the
--exec-on-eostudy (short form:
-xcs) command line option. It can be exploited by an attacker that is able to use a DICOM Storage Service Class SCU (such as
storescu) to send maliciously manipulated DICOM objects to the affected
storescp instance. The following fields can be abused by including (forbidden) shell escape characters:
- SOP Instance UID (if '#f' placeholder is present in the string passed to the execution option)
- Study Instance UID (if '#p' placeholder is present in the string passed to the execution option and the
--sort-on-study-uid (short: -su) option is also in use)
- Patient Name (if '#p' placeholder is present in the string passed to the execution option and the
--sort-on-patientname (short: -sp) option is also in use)
- DNS name of the SCU (if '#r' placeholder is present and the attacker is able to modify the DNS entry for the attacking system)
- Status changed from New to Closed
- % Done changed from 0 to 100
- Estimated time set to 4:00 h
Closed by DCMTK commit #edbb085e4.
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by