National Instruments LabVIEW LvVarientUnflatten Code Execution Vulnerability(CVE-2017-2775)

2017-09-20T00:00:00
ID SSV:96545
Type seebug
Reporter Root
Modified 2017-09-20T00:00:00

Description

Summary

An exploitable memory corruption vulnerability exists in the LvVarientUnflatten functionality of LabVIEW 2016 version 16.0.0.49152. A specially crafted VI file can cause a user controlled value to be used as a loop terminator resulting in internal heap corruption. An attacker controlled VI file can be used to trigger this vulnerability, exploitation could lead to remote code execution.

Tested Versions

LabVIEW 2016 Evaluation (version 16.0.0.49152) 64-bit only - (only versions prior to LabVIEW 2017 are affected)

Product URLs

http://www.ni.com/labview/

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-122: Heap-based Buffer Overflow

Details

LabVIEW provides engineers a simple environment to build measurement or control systems. LabVIEW is used to abstract many of the low-level details of various hardware and signal-processing libraries into a single platform. It uses a graphical programming approach to achieve this goal. Modules utilized in this vulnerability: `` start end module name 000000000ae60000 00000000`0b02c000 tdcore_16_0 (deferred) Image path: C:\Program Files\National Instruments\LabVIEW 2016\resource\tdcore_16_0.dll Image name: tdcore_16_0.dll Browse all global symbols functions data Timestamp: Wed Jun 08 11:51:42 2016 (57585B2E) CheckSum: 001CF8D0 ImageSize: 001CC000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

start end module name 0000000004f70000 0000000005069000 mgcore_SH_16_0 (deferred) Image path: C:\Program Files\National Instruments\LabVIEW 2016\resource\mgcore_SH_16_0.dll Image name: mgcore_SH_16_0.dll Browse all global symbols functions data Timestamp: Wed Jun 08 11:00:25 2016 (57584F29) CheckSum: 000E3FEE ImageSize: 000F9000 File version: 16.0.0.49152 Product version: 16.0.0.49152 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: National Instruments Corporation ProductName: MGCOREDLL_SH InternalName: MGCOREDLL_SH 16.0.0f0 OriginalFilename: mgcore_SH_16_0.dll ProductVersion: 16.0.0f0 FileVersion: 16.0.0f0 FileDescription: LabVIEW NonUI Managers LegalCopyright: Copyright © 2000-2016 National Instruments Corporation. All Rights Reserved. Comments: 2016/06/08 11:29:22, mgcore_SH_16_0/win64U/x64/msvc90/release During the unflattening of a LvVarient object, a call to `ReadTD` occurs [0]: tdcore_16_0!LvVariant::UnFlatten+0x19c .text:0000000000815281 loc_815281: ; DATA XREF: .rdata:stru_93F5A0o .text:0000000000815281 108 mov rax, [rdi] .text:0000000000815284 108 lea rdx, [rsp+108h+readTD_obj] .text:0000000000815289 108 mov rcx, rdi .text:000000000081528C 108 call qword ptr [rax+0E0h] ; ReadTD [0] ```

During this ReadTD, various pieces of the input file is read using ReadU32 from a BinDataReader [1]. This object provides an interface to an open file handle to read input in various formats. In this case, an unsigned 32 bit integer is being read from the file. tdcore_16_0!TDDataReader::ConstructEltTD+0x4c3 TDDataReader::ConstructEltTD(void)+4BA TDDataReader::ConstructEltTD(void)+4BA loc_826C7A: ; CODE XREF: TDDataReader::ConstructEltTD(void)+458j TDDataReader::ConstructEltTD(void)+4BA 0F8 mov rax, [rcx] TDDataReader::ConstructEltTD(void)+4BD 0F8 mov rdx, rdi TDDataReader::ConstructEltTD(void)+4C0 0F8 call qword ptr [rax+78h] ; BinDataReader::ReadU32 [1] TDDataReader::ConstructEltTD(void)+4C3 0F8 test eax, eax TDDataReader::ConstructEltTD(void)+4C5 0F8 jz short loc_826CE7

While parsing the LastSavedTarget segment of the input file, four bytes are read which are used as a loop condition in which ClearMem is called over chunks of the heap structure internal to LabVIEW. ``` tdcore_16_0!TDArrayBaseImp::PrintDebugStr+0x8f1 .text:000000000083B291 loop: .text:000000000083B291 088 mov rax, [r13+0] .text:000000000083B295 088 mov r10, [r12] .text:000000000083B299 088 mov r9d, 1 .text:000000000083B29F 088 mov rcx, [rax] .text:000000000083B2A2 088 mov r8d, r15d .text:000000000083B2A5 088 mov dword ptr [rsp+88h+var_68], ebp .text:000000000083B2A9 088 lea rdx, [rbx+rcx] .text:000000000083B2AD 088 mov rcx, r12 .text:000000000083B2B0 088 call qword ptr [r10+0B0h] ; Calls ClearMem .text:000000000083B2B7 088 test eax, eax .text:000000000083B2B9 088 jnz short return_result .text:000000000083B2BB 088 movsxd rax, r14d .text:000000000083B2BE 088 inc rdi .text:000000000083B2C1 088 add rbx, rax .text:000000000083B2C4 088 cmp rdi, rsi .text:000000000083B2C7 088 jb short loop .text:000000000083B2C9 counter_terminated: .text:000000000083B2C9 088 xor eax, eax .text:000000000083B2CB 088 jmp short return_result .text:000000000083B2CD return_2: .text:000000000083B2CD 088 mov eax, 2 .text:000000000083B2D2 return_result: .text:000000000083B2D2 088 mov rsi, [rsp+88h+arg_18]

tdcore_16_0!TDImpClearMemory+0x5 .text:0000000000821465 000 push rbx .text:0000000000821466 008 sub rsp, 20h .text:000000000082146A 028 mov rax, [rdx] .text:000000000082146D 028 mov r9, rdx .text:0000000000821470 028 mov rbx, rcx .text:0000000000821473 028 xor edx, edx .text:0000000000821475 028 mov rcx, r9 .text:0000000000821478 028 call qword ptr [rax+90h] ; returns 8 .text:000000000082147E 028 mov rcx, rbx ; Internal heap address .text:0000000000821481 028 movsxd rdx, eax ; 8 .text:0000000000821484 028 call ClearMem

mgcore_SH_16_0!ClearMem: ClearMem_233168 000 sub rsp, 28h ClearMem_233168+4 028 mov r8, rdx ; Size ClearMem_233168+7 028 xor edx, edx ; Val ClearMem_233168+9 028 call memset ```

In each iteration of the loop, the current internal heap address is cleared in 8 byte chunks and incremented to the next heap address. By supplying an invalid loop termiator, an attacker can clear internal heap chunks which could potentially lead to remote code execution.

Crash Information

`` rax=000000000bf0c000 rbx=000000000bf0c000 rcx=000000000bf0c000 rdx=0000000000000000 rsi=00000000069390c0 rdi=000000000bf0c000 rip=000000007328e5d0 rsp=000000000042c4c8 rbp=0000000000000000 r8=0000000000000000 r9=0000000000000001 r10=0000000002b0db38 r11=0000000000000000 r12=00000000069390c0 r13=000000000bf07820 r14=0000000000000008 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc MSVCR90+0x1e5d0: 000000007328e5d0 488911 mov qword ptr [rcx],rdx ds:00000000`0bf0c000=????????????????

000000007328e5bc 7539 jne MSVCR90+0x1e5f7 (000000007328e5f7) 000000007328e5be 4d8bc8 mov r9,r8 000000007328e5c1 4983e007 and r8,7 000000007328e5c5 49c1e903 shr r9,3 000000007328e5c9 7411 je MSVCR90+0x1e5dc (000000007328e5dc) 000000007328e5cb 66666690 xchg ax,ax 000000007328e5cf 90 nop MSVCR90+0x1e5d0: 000000007328e5d0 488911 mov qword ptr [rcx],rdx ⇐ instruction pointer ```

Timeline

  • 2017-01-13 - Vendor Disclosure
  • 2017-03-22 - Public Release

CREDIT

  • Discovered by Cory Duplantis of Cisco Talos