Talos Vulnerability Report

TALOS-2017-0362

Natus Xltek EEG NeuroWorks ItemList Traversal Denial-of-Service Vulnerability

May 31, 2018
CVE Number

CVE-2017-2858

Summary

An exploitable denial-of-service vulnerability exists in the traversal of lists functionality of Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out-of-bounds read, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Tested Versions

Natus Xltek NeuroWorks 8

Product URLs

http://www.natus.com

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Details

Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.

Modules used in this advisory are below:

0:000> lm vm list
start    end        module name
23000000 23012000   List       (export symbols)       c:\Neuroworks\List.dll
    Loaded symbol image file: c:\Neuroworks\List.dll
    Image path: c:\Neuroworks\List.dll
    Image name: List.dll
    Timestamp:        Wed Nov 06 09:58:18 2013 (527A833A)
    CheckSum:         0001779F
    ImageSize:        00012000
    File version:     8.0.1.1544
    Product version:  8.0.1.1544

Upon reception of data, NWStorage attempts to unserialize the data passed to it. NWStorage recognizes a variety of data types, one of which is the itemlist. The serialized format for the itemlist type is similar, and shown below:

char type;    // 4 in the case of itemlist
int elements; // Number of elements in the itemlist
Item[elements] data; // Simple array of Items 

When traversing a list, the following idiom is used to retrieve elements of the list:

list_head = CItemList::Head(current_list);
first_element = CItem::Next(list_head);

The CItemList::Head function is shown below:

List.dll
.text:230011E0 000                 mov     eax, [this+14h] 
.text:230011E3 000                 retn

The CItem::Next function is shown below:

List.dll
.text:23001290 000                 mov     eax, [this+4]  
.text:23001293 000                 retn

An example of an empty itemlist after unserialization is shown below:

0:000> dc ecx
0255fe54  2300a2d0 00000000 00000000 00000000  ...#............
0255fe64  2300f048 00000000 00000000 2300a2d0  H..#...........#

CItemList::Head can return a NULL value. This value can then be passed to CItem::Next, which attempts to dereference the +4 offset. This will cause an access violation resulting in a denial of service in the NWStorage service.

Crash Information

eax=00000000 ebx=0177b988 ecx=00000000 edx=0000005f esi=00000000 edi=0255fe54
eip=23001290 esp=0012f828 ebp=77e2f9a3 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
23001290 8b4104          mov     eax,dword ptr [ecx+4] ds:0023:00000004=????????

Timeline

2017-07-15 - Vendor Disclosure
2017-10-06 - Vendor Acknowledged
2018-05-31 - Public Release

Credit

Discovered by Cory Duplantis of Cisco Talos.