Talos Vulnerability Report

TALOS-2017-0354

Natus Xltek EEG NeuroWorks ItemList Deserialization Denial-of-Service Vulnerability

May 31, 2018
CVE Number

CVE-2017-2852

Summary

An exploitable denial-of-service vulnerability exists in the unserialization of lists functionality of Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out-of-bounds read, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Tested Versions

Natus Xltek NeuroWorks 8

Product URLs

http://www.natus.com

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Details

Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.

Upon reception of data, NWStorage attempts to unserialize the data passed to it. NWStorage recognizes a variety of data types, two of which are a string and itemlist. The serialized format for the string type is shown below:

char type;  // 2 in the case of string
int length; // Length of the string plus 5 bytes for the header
char[length] string; // The string itself

The serialized format for the itemlist type is similar and shown below:

char type;    // 4 in the case of itemlist
int elements; // Number of elements in the itemlist
Item[elements] data; // Simple array of Items 

The process of unserializing the items in the list can be summarized in the following pseudocode:

total_num_elements = itemlist.elements;
current_num_elements = 0;
while ( 1 )
{
    current_item = UnserializeItem(itemlist_pointer);
    if ( !current_item )
        break;

    itemlist_pointer += current_item.length;
    if ( ++current_num_elements >= total_num_elements )
        return 1;
}

NWStorage honors the number of elements specified in the itemlist header and proceeds to attempt to unserialize that many items. The next item to be unserialized is determined by the length specified in that item's header. The unserialization of a generic item is shown below:

.text:23002492 018                 mov     edi, [esp+18h+buf] // Current Item buffer
.text:23002496 018                 test    edi, edi
.text:23002498 018                 jz      loc_2300261C    ; jumptable 230024B8 default case
.text:2300249E 018                 mov     esi, 5
.text:230024A3 018                 cmp     [edi+1], esi // Out of bounds

By providing an invalid length on an item, NWStorage will attempt to add a wrong number of bytes to the current serialized buffer. If this new location is out of bounds, the comparison at 0x230024A3 will crash the service, resulting in a denial of service.

Crash Information

(508.df4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=024bfdd0 ebx=00000001 ecx=017d8fb0 edx=2300a2d0 esi=00000005 edi=e02b4e08
eip=230024a3 esp=024bfdc4 ebp=017d8f10 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010282
230024a3 397701          cmp     dword ptr [edi+0],esi ds:0023:e02b4e09=????????

Timeline

2017-07-15 - Vendor Disclosure
2017-10-06 - Vendor Acknowledged
2018-05-31 - Public Release

Credit

Discovered by Cory Duplantis of Cisco Talos.