CVE-2017-2852
An exploitable denial-of-service vulnerability exists in the unserialization of lists functionality of Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out-of-bounds read, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Natus Xltek NeuroWorks 8
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-125 - Out-of-bounds Read
Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.
Upon reception of data, NWStorage attempts to unserialize the data passed to it. NWStorage recognizes a variety of data types, two of which are a string and itemlist. The serialized format for the string type is shown below:
char type; // 2 in the case of string
int length; // Length of the string plus 5 bytes for the header
char[length] string; // The string itself
The serialized format for the itemlist type is similar and shown below:
char type; // 4 in the case of itemlist
int elements; // Number of elements in the itemlist
Item[elements] data; // Simple array of Items
The process of unserializing the items in the list can be summarized in the following pseudocode:
total_num_elements = itemlist.elements;
current_num_elements = 0;
while ( 1 )
{
current_item = UnserializeItem(itemlist_pointer);
if ( !current_item )
break;
itemlist_pointer += current_item.length;
if ( ++current_num_elements >= total_num_elements )
return 1;
}
NWStorage honors the number of elements specified in the itemlist header and proceeds to attempt to unserialize that many items. The next item to be unserialized is determined by the length specified in that item’s header. The unserialization of a generic item is shown below:
.text:23002492 018 mov edi, [esp+18h+buf] // Current Item buffer
.text:23002496 018 test edi, edi
.text:23002498 018 jz loc_2300261C ; jumptable 230024B8 default case
.text:2300249E 018 mov esi, 5
.text:230024A3 018 cmp [edi+1], esi // Out of bounds
By providing an invalid length on an item, NWStorage will attempt to add a wrong number of bytes to the current serialized buffer. If this new location is out of bounds, the comparison at 0x230024A3 will crash the service, resulting in a denial of service.
(508.df4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=024bfdd0 ebx=00000001 ecx=017d8fb0 edx=2300a2d0 esi=00000005 edi=e02b4e08
eip=230024a3 esp=024bfdc4 ebp=017d8f10 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282
230024a3 397701 cmp dword ptr [edi+0],esi ds:0023:e02b4e09=????????
2017-07-15 - Vendor Disclosure
2017-10-06 - Vendor Acknowledged
2018-05-31 - Public Release
Discovered by Cory Duplantis of Cisco Talos.