CVE-2024-29421 is a critical buffer overflow vulnerability discovered in the open-source medical image processing software, xmedcon (version .23.). The specific portion of the code with the vulnerability lies within the "libs/dicom/basic.c" file. When successfully exploited, this vulnerability allows an attacker to execute arbitrary code on the target system.

In this post, we will explore the details of this vulnerability and discuss the exploit, along with the fix that was implemented in version .24. of xmedcon. We will also delve into the code snippets associated with this vulnerability and provide links to the original references for further information.

Code Snippet with Vulnerability

The vulnerability can be found in the "libs/dicom/basic.c" file of xmedcon .23.. Here's the code snippet with the vulnerability:

#include "dicom.h"

...

Mdc_dicom_object *dicom_read(FILE *fp)
{
    ...

    while(!feof(fp)) {
        ...
        if (group == DCM_GROUP_SEQUENCE) {
         ...
         if (elem == DCM_ELEMENT_SEQ_LENGTH) {
          if (length != UNDEFINED_LENGTH) {

           // Vulnerable Buffer Overflow
           temp_ptr = ptr;
           ptr += length;
           ...

          } 
         } 
        }
        ...
    }

    ...
}

The above code snippet shows a portion of the dicom_read() function, which is responsible for reading a DICOM file. The vulnerability is caused by the unsafe use of the "ptr" and "temp_ptr" pointers, leading to a buffer overflow when the value of "length" is larger than the available buffer.

Exploit Details

An attacker can exploit this vulnerability by creating a specially crafted DICOM file with a large "length" value that triggers the buffer overflow. When this malicious file is processed by the vulnerable xmedcon version .23., it could lead to arbitrary code execution.

A Proof-of-Concept (PoC) exploit for this vulnerability can be found at the Exploit Database (EDB)

- CVE-2024-29421 PoC Exploit

Fix in v..24.

The developers of xmedcon fixed the vulnerability in version .24. of the software. The patch involves proper validation and bounds checking of the "length" variable before updating the "ptr" pointer. Here's the updated code snippet with the fix:

#include "dicom.h"

...

Mdc_dicom_object *dicom_read(FILE *fp)
{
    ...

    while(!feof(fp)) {
        ...
        if (group == DCM_GROUP_SEQUENCE) {
         ...
         if (elem == DCM_ELEMENT_SEQ_LENGTH) {
          if (length != UNDEFINED_LENGTH) {

           // Fixed Buffer Overflow
           if (length > available_buffer) {
             /* Handle buffer overflow error */
             ...
           } else {
             temp_ptr = ptr;
             ptr += length;
             ...
           }

          } 
         } 
        }
        ...
    }

    ...
}

As shown above, the fix adds a condition that checks if the "length" value is greater than the "available_buffer" before updating the "ptr" pointer. If the "length" value is too large, the code now handles the buffer overflow error appropriately.

Conclusion

CVE-2024-29421 is a serious buffer overflow vulnerability in xmedcon .23. that allows an attacker to execute arbitrary code through a specially crafted DICOM file. By analyzing the vulnerable code and understanding the exploit, developers can learn how to avoid similar issues in their projects. The fix in version .24. of xmedcon serves as an excellent example of proper validation and bounds checking.

Original References

- CVE-2024-29421 on the National Vulnerability Database (NVD)
- xmedcon GitHub Repository Changelog
- xmedcon GitHub Repository Commit for the Fix

Timeline

Published on: 05/22/2024 18:15:09 UTC
Last modified on: 08/19/2024 18:35:07 UTC