OFFIS DCMTK OS Command Injection Vulnerability in storescp Component

A command injection vulnerability has been identified in OFFIS DCMTK versions prior to 3.7.0, specifically within the storescp application. The issue arises in the 'executeOnReception' and 'executeOnEndOfStudy' functions, where user-controlled input is inadequately sanitized before being passed to the shell. This flaw enables remote code execution by exploiting DICOM C-STORE requests.

Impact

Successful exploitation allows for unauthorized remote code execution on the server where DCMTK is running.

Reproduction

The vulnerability can be reproduced by sending a crafted DICOM C-STORE request to a DCMTK application instance running storescp. The request must include input that will be processed by the 'executeOnReception' or 'executeOnEndOfStudy' functions, such as Study Instance UID or SOP Instance UID, without proper sanitization of shell metacharacters. This can be done by manipulating the DICOM data to include special characters that the application will not properly clean before executing the command.

Remediation

Users are advised to update to the latest version of OFFIS DCMTK, where this vulnerability has been patched. The patch can be applied by downloading the updated version from the official DCMTK GitHub repository.