Talos Vulnerability Report

TALOS-2017-0365

Natus Xltek EEG NeuroWorks NewProducerStream Use of Return Value Denial of Service Vulnerability

April 4, 2018
CVE Number

CVE-2017-2861

Summary

An exploitable Denial of Service vulnerability exists in the use of a return value in the NewProducerStream command in Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out of bounds read resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Tested Versions

Natus Xltek NeuroWorks 8

Product URLs

http://www.natus.com/index.cfm?page=products_1&crid=224

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Details

Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.

The modules used in this advisory is shown below:

start    end        module name
00400000 00471000   storage    (no symbols)
    Loaded symbol image file: c:\Neuroworks\storage.exe
    Image path: c:\Neuroworks\storage.exe
    Image name: storage.exe
    Timestamp:        Wed Nov 06 10:11:09 2013 (527A863D)
    CheckSum:         0006EC3D
    ImageSize:        00071000
    File version:     8.0.1.1544
    Product version:  8.0.1.1544

start    end        module name
23000000 23012000   List       (export symbols)       c:\Neuroworks\List.dll
    Loaded symbol image file: c:\Neuroworks\List.dll
    Image path: c:\Neuroworks\List.dll
    Image name: List.dll
    Timestamp:        Wed Nov 06 09:58:18 2013 (527A833A)
    CheckSum:         0001779F
    ImageSize:        00012000
    File version:     8.0.1.1544
    Product version:  8.0.1.1544

During the processing of the NewProducerStream command, a KeyTree data structure is expected. This data structure is a simple key-value structure similar to a map. A key of Study is expected to have an ItemList object that will be used for later processing. The pseudocode for this particular section of code is shown below:

Storage.exe+0x34BA0:

keytree_1 = (CKeyTree *)CItem::Next(v8);                 // [0]
...
study_key = "Study";
study_fromkeytree = CKeyTree::GetAt(keytree, study_key); // [1]
study_itemlist = CItem::AsItemList(study_fromkeytree);   // [2]
if ( study_itemlist == (CItemList *)-1 )                 // [3]
{
    CEtlException::CEtlException(&ex, "s:\\eegworks\\source\\storage\\storevw.cpp", 522, 0xC1010001, 0, 0, 0, 3);
    CEtlException::AddToEventLog(&ex, "s:\\eegworks\\source\\storage\\storevw.cpp", 522); // [4]
    CEtlException::~CEtlException(&ex);
}
v47 = (char *)-1;
v19 = CItemList::Head(study_itemlist); // [5]
v20 = CItem::AsKeyTree(v19);

The KeyTree is extracted from the data stream [0] and then the Study key is extracted [1]. The Study value is converted to an ItemList [2] and finally checked to ensure the conversion to an ItemList was valid [3]. If the conversion to an ItemList was invalid, the event is logged.

After logging the event, nothing changes about the return result from AsItemList. If there was an error, the return value would be -1. Subsequently, this value is passed directly to CItemList::Head [5]. Assuming this value is a valid ItemList, it is checked to ensure it is not empty by checking the Next pointer of the ItemList.

List!CLinteger::operator long const :
230011e0 8b4114          mov     eax,dword ptr [ecx+14h] // [6]
230011e3 c3              ret

Becuase the argument is -1, this causes in an Access Violation [6] resulting in a Denial of Service.

Crash Information

(fbc.998): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7883af50 ebx=ffffffff ecx=ffffffff edx=0000005f esi=00000000 edi=230046d0
eip=230011e0 esp=0012f824 ebp=04f8dfe0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
List!CLinteger::operator long const :
230011e0 8b4114          mov     eax,dword ptr [ecx+14h] ds:0023:00000013=????????

Timeline

2017-07-15 - Initial Contact
2017-10-06 - Vendor Acknowledged
2018-04-04 - Public Release

Credit

Discovered by Cory Duplantis of Cisco Talos.