Talos Vulnerability Report

TALOS-2017-0374

Natus Xltek EEG NeuroWorks NewProducerStream Code Execution Vulnerability

April 4, 2018
CVE Number

CVE-2017-2868

Summary

An exploitable code execution vulnerability exists in the NewProducerStream functionality of Natus Xltek NeuroWorks 8. A specially crafted network packet can cause a stack buffer overflow resulting in code execution. An attacker can send a malicious packet to trigger this vulnerability.

Tested Versions

Natus Xltek NeuroWorks 8

Product URLs

http://www.natus.com/index.cfm?page=products_1&crid=224

CVSSv3 Score

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-121: Stack-based Buffer Overflow

Details

Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.

The modules used in this advisory are shown below:

0:006> lm vm Storage
start    end        module name
00400000 00471000   storage    (deferred)
    Image path: c:\Neuroworks\storage.exe
    Image name: storage.exe
    Timestamp:        Wed Nov 06 10:11:09 2013 (527A863D)
    CheckSum:         0006EC3D
    ImageSize:        00071000
    File version:     8.0.1.1544
    Product version:  8.0.1.1544

One of the key data structures in Neuroworks is the KeyTree. Internally, a KeyTree is a List of Lists. The List and KeyTree structs are shown below:

KeyTree/List
char opcode; // 5 for KeyTree, 4 for ItemList
int num_elements ; // Number of elements in this KeyTree
Item[num_elements] items; // List of elements

During the processing of the NewProducerStream command, a client supplied KeyTree is parsed looking for a SlowReviewLocalPath key. This extraction is shown below:

.text:00434F01                 push    offset aSlowreviewloca ; "SlowReviewLocalPath"
.text:00434F06                 mov     this, ebx
.text:00434F08                 call    edi ; CKeyTree::GetAt(char const *) [1]
.text:00434F0A                 mov     this, eax
.text:00434F0C                 call    ds:CItem::AsCStr(char const *)  [2]
.text:00434F12                 mov     [esp+364h+var_4], 6
.text:00434F1D                 lea     this, [esp+364h+stLocalPath]
.text:00434F21                 call    ds:ATL::CSimpleStringT<char,1>::GetLength(void) [3]
.text:00434F27                 test    eax, eax

The actual item is returned, [1] and cast into a C string, [2]. Finally its length is checked to be non zero to ensure there is data to be processed, [3]. This data is then passed through a combination of splitpath and makepath shown below.

.text:00434FBF                 lea     this, [esp+368h+fname] //user controlled  [4]
.text:00434FC6                 push    this            ; Filename
.text:00434FC7                 lea     this, [esp+36Ch+stLocalPath]
.text:00434FCB                 call    ds:ATL::CSimpleStringT<char,1>::operator char const *(void)
.text:00434FD1                 push    eax             ; Dir
.text:00434FD2                 lea     edx, [esp+370h+filename]  [5]
.text:00434FD6                 push    0               ; Drive
.text:00434FD8                 push    edx             ; Path
.text:00434FD9                 call    ds:__imp___makepath

The resulting makepath call will put the entire filename into the filename local variable, [5]. However the user supplied string, [4], is not checked to ensure it does not overstep this boundary. This results in a stack based buffer overflow and an exception triggered. Due to the overflow the exception handlers have been overwritten giving direct control of the program.

Crash Information

(abc.668): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=deadbeef edx=77f06d8d esi=00000000 edi=00000000
eip=deadbeef esp=0012f298 ebp=0012f2b8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
deadbeef ??              ???

Timeline

2017-07-15 - Initial vendor contact
2017-10-06 - Vendor Acknowledged
2018-04-04 - Public Release

Credit

Discovered by Cory Duplantis and Tyler Bohan of Cisco Talos.