DCMTK Stack-Based Buffer Overflow Vulnerability in dcmqrscp Component

A stack-based buffer overflow vulnerability has been identified in DCMTK versions through 3.6.5. The issue arises in the dcmqrscp component, specifically within the parseQuota function. The vulnerability is triggered by a malformed StorageQuota value, leading to a stack-based buffer overflow. This vulnerability requires local access to exploit.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, crashing the dcmqrscp application during configuration processing. Additionally, the buffer overflow could potentially be exploited to execute arbitrary code, depending on the compiler and stack layout.

Reproduction

To reproduce this vulnerability, DCMTK version 3.6.5 (or a relevant vulnerable version) must be built with AddressSanitizer enabled. After compiling the application, the default configuration file for the DICOM Query/Retrieve SCP server, named dcmqrscp.cfg, should be replaced with a crafted file that includes a malformed StorageQuota value. Once the configuration file is in place, the dcmqrscp application can be started in single-process mode, which will trigger the buffer overflow and cause the application to crash.

Remediation

Upgrading to DCMTK version 3.6.6 or later is recommended to address this vulnerability.