Talos Vulnerability Report

TALOS-2017-0364

Natus Xltek EEG NeuroWorks Invalid KeyTree Entry Denial-of-Service Vulnerability

May 31, 2018
CVE Number

CVE-2017-2860

Summary

An exploitable denial-of-service vulnerability exists in the lookup entry functionality of KeyTrees in Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out-of-bounds read, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Tested Versions

Natus Xltek NeuroWorks 8

Product URLs

http://www.natus.com

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Details

Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.

The module used in this advisory is shown below:

0:000> lm vm List
start    end        module name
23000000 23012000   List       (export symbols)       c:\Neuroworks\List.dll
    Loaded symbol image file: c:\Neuroworks\List.dll
    Image path: c:\Neuroworks\List.dll
    Image name: List.dll
    Timestamp:        Wed Nov 06 09:58:18 2013 (527A833A)
    CheckSum:         0001779F
    ImageSize:        00012000
    File version:     8.0.1.1544
    Product version:  8.0.1.1544

One of the key data structures in Neuroworks is the KeyTree. Internally, a KeyTree is a list of lists. The list and KeyTree structs are shown below:

KeyTree/List
char opcode; // 5 for KeyTree, 4 for ItemList
int num_elements ; // Number of elements in this KeyTree
Item[num_elements] items; // List of elements

Python pseudocode for this construct for a valid KeyTree is shown below:

keytree = clkeytree([
                    clitemlist([clstr("Connections\0")]),
                    clitemlist([clstr("Client\0")]),
                    clitemlist([clstr("ProcessId\0", 0x1234)]),
                    clitemlist([clstr("Study\0"), study]),
                    ])

Above, we see a KeyTree with a key of Connections.Client.ProcessId with value of 0x1234, as well as a key of study with a value of study (which would be defined elsewhere). The key feature here is that the KeyTree assumes that each of its elements is an ItemList.

One component of the traversal of the the KeyTree is shown below:

List.dll
.text:2300447A 024                 mov     eax, [esi+14h]  // Esi - KeyTree struct
.text:2300447D 024                 test    eax, eax        // Eax - first ItemList in the KeyTree
.text:2300447F 024                 jz      loc_2300461F
.text:23004485 024                 lea     this, [eax+14h] // Retrieve `next value` from the ItemList
.text:23004488 024                 call    ds:ATL::CSimpleStringT<char,1>::operator char const *(void)

This snippet shows the beginning of the retrieval of the value in the first element of the first itemlist in a KeyTree. This code assumes that the first element of a KeyTree is an itemlist. If the first element of the KeyTree is a string data structure, for instance, the dereference at 0x23004485 doesn't necessarily point to a valid memory address. Passing an invalid address to the function at 0x23004488 will cause a crash of Neuroworks, resulting in a denial-of-service condition. For example with pseudocode, replacing the valid pseudocode above, will trigger this vulnerability.

keytree = clkeytree([
                        clstr('A' * 4)
                    ])

Crash Information

(610.880): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for c:\Neuroworks\List.dll -
eax=05091ff8 ebx=04f84f68 ecx=0509200c edx=020b1078 esi=0508ffe8 edi=0000000b
eip=786d540c esp=0012f7ec ebp=00450828 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mfc90+0xf540c:
786d540c 8b01            mov     eax,dword ptr [ecx]  ds:0023:0509200c=????????

Timeline

2017-07-15 - Vendor Disclosure
2017-10-06 - Vendor Acknowledged
2018-05-31 - Public Release

Credit

Discovered by Cory Duplantis of Cisco Talos.