CVE-2017-2869
An exploitable code execution vulnerability exists in the OpenProducer functionality of Natus Xltek NeuroWorks 8. A specially crafted network packet can cause a stack buffer overflow resulting in code execution. An attacker can send a malicious packet to trigger this vulnerability.
Natus Xltek NeuroWorks 8
http://www.natus.com/index.cfm?page=products_1&crid=224
10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-121: Stack-based Buffer Overflow
Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.
The modules used in this advisory are shown below:
0:006> lm vm Storage
start end module name
00400000 00471000 storage (deferred)
Image path: c:\Neuroworks\storage.exe
Image name: storage.exe
Timestamp: Wed Nov 06 10:11:09 2013 (527A863D)
CheckSum: 0006EC3D
ImageSize: 00071000
File version: 8.0.1.1544
Product version: 8.0.1.1544
One of the key data structures in Neuroworks is the KeyTree. Internally, a KeyTree is a List of Lists. The List and KeyTree structs are shown below:
KeyTree/List
char opcode; // 5 for KeyTree, 4 for ItemList
int num_elements ; // Number of elements in this KeyTree
Item[num_elements] items; // List of elements
During the processing of the OpenProducer
command, a client supplied KeyTree is parsed looking for a SlowReviewLocalPath
key. This extraction is shown below:
.text:00434807 push offset aSlowreviewloca ; "SlowReviewLocalPath"
.text:0043480C mov this, ebp
.text:0043480E call esi ; CKeyTree::GetAt(char const *) [1]
.text:00434810 mov this, eax
.text:00434812 call ds:CItem::AsCStr(char const *) [2]
.text:00434818 mov bl, 9
.text:0043481A mov byte ptr [esp+368h+var_4], bl
.text:00434821 lea this, [esp+368h+stLocalPath]
.text:00434825 call ds:ATL::CSimpleStringT<char,1>::GetLength(void) [3]
The actual item is returned, [1] and cast into a C string, [2]. Finally its length is checked to be non zero to ensure there is data to be processed, [3]. This data is then passed through a combination of splitpath and makepath shown below.
.text:004348C2 lea this, [esp+36Ch+fname] [4]
.text:004348C9 push this ; Filename
.text:004348CA lea this, [esp+370h+stLocalPath]
.text:004348CE call ds:ATL::CSimpleStringT<char,1>::operator char const *(void)
.text:004348D4 push eax ; Dir
.text:004348D5 lea edx, [esp+374h+filename] [5]
.text:004348D9 push 0 ; Drive
.text:004348DB push edx ; Path
.text:004348DC call ds:__imp___makepath
The resulting Makepath
call will put the entire filename into the filename local variable, [5]. However the user supplied string, [4], is not checked to ensure it does not overstep this boundary. This results in a stack based buffer overflow and an exception triggered. Due to the overflow, the exception handlers have been overwritten giving direct control of the program.
(abc.668): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=deadbeef edx=77f06d8d esi=00000000 edi=00000000
eip=deadbeef esp=0012f298 ebp=0012f2b8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
deadbeef ?? ???
2017-07-15 - Initial Contact
2017-10-06 - Vendor Acknowledged
2018-04-04 - Public Release
Discovered by Cory Duplantis and Tyler Bohan of Cisco Talos.