CVE-2017-2861
An exploitable Denial of Service vulnerability exists in the use of a return value in the NewProducerStream command in Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out of bounds read resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Natus Xltek NeuroWorks 8
http://www.natus.com/index.cfm?page=products_1&crid=224
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-125 - Out-of-bounds Read
Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.
The modules used in this advisory is shown below:
start end module name
00400000 00471000 storage (no symbols)
Loaded symbol image file: c:\Neuroworks\storage.exe
Image path: c:\Neuroworks\storage.exe
Image name: storage.exe
Timestamp: Wed Nov 06 10:11:09 2013 (527A863D)
CheckSum: 0006EC3D
ImageSize: 00071000
File version: 8.0.1.1544
Product version: 8.0.1.1544
start end module name
23000000 23012000 List (export symbols) c:\Neuroworks\List.dll
Loaded symbol image file: c:\Neuroworks\List.dll
Image path: c:\Neuroworks\List.dll
Image name: List.dll
Timestamp: Wed Nov 06 09:58:18 2013 (527A833A)
CheckSum: 0001779F
ImageSize: 00012000
File version: 8.0.1.1544
Product version: 8.0.1.1544
During the processing of the NewProducerStream command, a KeyTree data structure is expected. This data structure is a simple key-value structure similar to a map. A key of Study is expected to have an ItemList object that will be used for later processing. The pseudocode for this particular section of code is shown below:
Storage.exe+0x34BA0:
keytree_1 = (CKeyTree *)CItem::Next(v8); // [0]
...
study_key = "Study";
study_fromkeytree = CKeyTree::GetAt(keytree, study_key); // [1]
study_itemlist = CItem::AsItemList(study_fromkeytree); // [2]
if ( study_itemlist == (CItemList *)-1 ) // [3]
{
CEtlException::CEtlException(&ex, "s:\\eegworks\\source\\storage\\storevw.cpp", 522, 0xC1010001, 0, 0, 0, 3);
CEtlException::AddToEventLog(&ex, "s:\\eegworks\\source\\storage\\storevw.cpp", 522); // [4]
CEtlException::~CEtlException(&ex);
}
v47 = (char *)-1;
v19 = CItemList::Head(study_itemlist); // [5]
v20 = CItem::AsKeyTree(v19);
The KeyTree is extracted from the data stream [0] and then the Study key is extracted [1]. The Study value is converted to an ItemList [2] and finally checked to ensure the conversion to an ItemList was valid [3]. If the conversion to an ItemList was invalid, the event is logged.
After logging the event, nothing changes about the return result from AsItemList. If there was an error, the return value would be -1. Subsequently, this value is passed directly to CItemList::Head [5]. Assuming this value is a valid ItemList, it is checked to ensure it is not empty by checking the Next pointer of the ItemList.
List!CLinteger::operator long const :
230011e0 8b4114 mov eax,dword ptr [ecx+14h] // [6]
230011e3 c3 ret
Becuase the argument is -1, this causes in an Access Violation [6] resulting in a Denial of Service.
(fbc.998): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7883af50 ebx=ffffffff ecx=ffffffff edx=0000005f esi=00000000 edi=230046d0
eip=230011e0 esp=0012f824 ebp=04f8dfe0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
List!CLinteger::operator long const :
230011e0 8b4114 mov eax,dword ptr [ecx+14h] ds:0023:00000013=????????
2017-07-15 - Initial Contact
2017-10-06 - Vendor Acknowledged
2018-04-04 - Public Release
Discovered by Cory Duplantis of Cisco Talos.