Talos Vulnerability Report


Natus Xltek EEG NeuroWorks Invalid KeyTree Entry Denial-of-Service Vulnerability

May 31, 2018
CVE Number



An exploitable denial-of-service vulnerability exists in the lookup entry functionality of KeyTrees in Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out-of-bounds read, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Tested Versions

Natus Xltek NeuroWorks 8

Product URLs


CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CWE-125 - Out-of-bounds Read


Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.

The module used in this advisory is shown below:

0:000> lm vm List
start    end        module name
23000000 23012000   List       (export symbols)       c:\Neuroworks\List.dll
    Loaded symbol image file: c:\Neuroworks\List.dll
    Image path: c:\Neuroworks\List.dll
    Image name: List.dll
    Timestamp:        Wed Nov 06 09:58:18 2013 (527A833A)
    CheckSum:         0001779F
    ImageSize:        00012000
    File version:
    Product version:

One of the key data structures in Neuroworks is the KeyTree. Internally, a KeyTree is a list of lists. The list and KeyTree structs are shown below:

char opcode; // 5 for KeyTree, 4 for ItemList
int num_elements ; // Number of elements in this KeyTree
Item[num_elements] items; // List of elements

Python pseudocode for this construct for a valid KeyTree is shown below:

keytree = clkeytree([
                    clitemlist([clstr("ProcessId\0", 0x1234)]),
                    clitemlist([clstr("Study\0"), study]),

Above, we see a KeyTree with a key of Connections.Client.ProcessId with value of 0x1234, as well as a key of study with a value of study (which would be defined elsewhere). The key feature here is that the KeyTree assumes that each of its elements is an ItemList.

One component of the traversal of the the KeyTree is shown below:

.text:2300447A 024                 mov     eax, [esi+14h]  // Esi - KeyTree struct
.text:2300447D 024                 test    eax, eax        // Eax - first ItemList in the KeyTree
.text:2300447F 024                 jz      loc_2300461F
.text:23004485 024                 lea     this, [eax+14h] // Retrieve `next value` from the ItemList
.text:23004488 024                 call    ds:ATL::CSimpleStringT<char,1>::operator char const *(void)

This snippet shows the beginning of the retrieval of the value in the first element of the first itemlist in a KeyTree. This code assumes that the first element of a KeyTree is an itemlist. If the first element of the KeyTree is a string data structure, for instance, the dereference at 0x23004485 doesn't necessarily point to a valid memory address. Passing an invalid address to the function at 0x23004488 will cause a crash of Neuroworks, resulting in a denial-of-service condition. For example with pseudocode, replacing the valid pseudocode above, will trigger this vulnerability.

keytree = clkeytree([
                        clstr('A' * 4)

Crash Information

(610.880): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for c:\Neuroworks\List.dll -
eax=05091ff8 ebx=04f84f68 ecx=0509200c edx=020b1078 esi=0508ffe8 edi=0000000b
eip=786d540c esp=0012f7ec ebp=00450828 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
786d540c 8b01            mov     eax,dword ptr [ecx]  ds:0023:0509200c=????????


2017-07-15 - Vendor Disclosure
2017-10-06 - Vendor Acknowledged
2018-05-31 - Public Release


Discovered by Cory Duplantis of Cisco Talos.