Talos Vulnerability Report

TALOS-2017-0373

Natus Xltek EEG NeuroWorks SavePatientMontage Code Execution Vulnerability

April 4, 2018
CVE Number

CVE-2017-2867

Summary

An exploitable code execution vulnerability exists in the SavePatientMontage functionality of Natus Xltek NeuroWorks 8. A specially crafted network packet can cause a stack buffer overflow resulting in code execution. An attacker can a malicious packet to trigger this vulnerability.

Tested Versions

Natus Xltek NeuroWorks 8

Product URLs

http://www.natus.com/index.cfm?page=products_1&crid=224

CVSSv3 Score

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-121: Stack-based Buffer Overflow

Details

Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.

The modules used in this advisory are shown below:

0:006> lm vm Storage
start    end        module name
00400000 00471000   storage    (deferred)
    Image path: c:\Neuroworks\storage.exe
    Image name: storage.exe
    Timestamp:        Wed Nov 06 10:11:09 2013 (527A863D)
    CheckSum:         0006EC3D
    ImageSize:        00071000
    File version:     8.0.1.1544
    Product version:  8.0.1.1544

One of the key data structures in Neuroworks is the KeyTree. Internally, a KeyTree is a List of Lists. The List and KeyTree structs are shown below:

KeyTree/List
char opcode; // 5 for KeyTree, 4 for ItemList
int num_elements ; // Number of elements in this KeyTree
Item[num_elements] items; // List of elements

During the processing of the SavePatientMontage command, a client supplied KeyTree is parsed looking for a Data.Name key. The extraction of the Data.Name element is shown below:

.text:00410E2D 12C                 push    offset str.unknown 
.text:00410E32 126                 lea     this, [esp+130h+sNewName]
.text:00410E36 130                 push    this
.text:00410E37 134                 push    offset str.Data_Name ; "Data.Name"
.text:00410E3C 138                 mov     this, edi            ; Client supplied KeyTree
.text:00410E3E 138                 call    esi ; CKeyTree::GetAt(char const *)

This return value is an Item type. In order to extract the literal string from the Item, CItem::AsCStr is called as shown below:

.text:00410E40 12C                 mov     this, eax
.text:00410E42 12C                 call    ds:CItem::AsCStr(char const *)

This string is finally passed to makepath in order to create a file path in preparation for setting a local variable.

.text:00410E6A 134                 push    eax             ; Client controlled string
.text:00410E6B 138                 lea     edx, [esp+138h+path]
.text:00407E6F 138                 push    0               
.text:00407E71 13C                 push    edx             
.text:00407E72 140                 call    ds:__imp___makepath

Makepath does not guarantee that the resulting string will fit in the supplied buffer. The client can supply a string larger than the allocated stack buffer, causing a buffer overflow. Due to the overflow, the exception handlers have been overwritten giving direct control of the program.

Crash Information

Attacker controlled stack canary value in `ecx`:

eax=7883af50 ebx=00000000 ecx=deadbeef edx=00000084 esi=230046d0 edi=04ec99a0
eip=00410f02 esp=0012f97c ebp=1abaefe0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
storage!CPatientDoc::UpdatePatientMontageFileName+0x142:
00410f02 33cc            xor     ecx,esp

Timeline

2017-07-15 - Initial Contact
2017 -10-06 - Vendor Acknowledged
2018-04-04 - Public Release

Credit

Discovered by Cory Duplantis and Tyler Bohan of Cisco Talos.