CVE-2017-2858
An exploitable denial-of-service vulnerability exists in the traversal of lists functionality of Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out-of-bounds read, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Natus Xltek NeuroWorks 8
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-125 - Out-of-bounds Read
Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.
Modules used in this advisory are below:
0:000> lm vm list
start end module name
23000000 23012000 List (export symbols) c:\Neuroworks\List.dll
Loaded symbol image file: c:\Neuroworks\List.dll
Image path: c:\Neuroworks\List.dll
Image name: List.dll
Timestamp: Wed Nov 06 09:58:18 2013 (527A833A)
CheckSum: 0001779F
ImageSize: 00012000
File version: 8.0.1.1544
Product version: 8.0.1.1544
Upon reception of data, NWStorage attempts to unserialize the data passed to it. NWStorage recognizes a variety of data types, one of which is the itemlist. The serialized format for the itemlist type is similar, and shown below:
char type; // 4 in the case of itemlist
int elements; // Number of elements in the itemlist
Item[elements] data; // Simple array of Items
When traversing a list, the following idiom is used to retrieve elements of the list:
list_head = CItemList::Head(current_list);
first_element = CItem::Next(list_head);
The CItemList::Head
function is shown below:
List.dll
.text:230011E0 000 mov eax, [this+14h]
.text:230011E3 000 retn
The CItem::Next
function is shown below:
List.dll
.text:23001290 000 mov eax, [this+4]
.text:23001293 000 retn
An example of an empty itemlist after unserialization is shown below:
0:000> dc ecx
0255fe54 2300a2d0 00000000 00000000 00000000 ...#............
0255fe64 2300f048 00000000 00000000 2300a2d0 H..#...........#
CItemList::Head
can return a NULL value. This value can then be passed to CItem::Next
, which attempts to dereference the +4
offset. This will cause an access violation resulting in a denial of service in the NWStorage service.
eax=00000000 ebx=0177b988 ecx=00000000 edx=0000005f esi=00000000 edi=0255fe54
eip=23001290 esp=0012f828 ebp=77e2f9a3 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
23001290 8b4104 mov eax,dword ptr [ecx+4] ds:0023:00000004=????????
2017-07-15 - Vendor Disclosure
2017-10-06 - Vendor Acknowledged
2018-05-31 - Public Release
Discovered by Cory Duplantis of Cisco Talos.