Vulnerabilities > CVE-2017-2775 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in NI Labview 16.0.0.49152

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
ni
CWE-119
nessus

Summary

An exploitable memory corruption vulnerability exists in the LvVariantUnflatten functionality in 64-bit versions of LabVIEW before 2015 SP1 f7 Patch and 2016 before f2 Patch. A specially crafted VI file can cause a user controlled value to be used as a loop terminator resulting in internal heap corruption. An attacker controlled VI file can be used to trigger this vulnerability, exploitation could lead to remote code execution.

Vulnerable Configurations

Part Description Count
Application
Ni
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL familyWindows
NASL idLABVIEW_CVE-2017-2775.NASL
descriptionThe version of National Instruments (NI) LabVIEW installed on the remote Windows host is version 2015 prior to 2015 SP1 f7 or 2016 prior to 2016 f2. It is, therefore, affected by an arbitrary code execution vulnerability in the LvVarientUnflatten functionality due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted VI file, to cause a heap-based buffer overflow, allowing the execution of arbitrary code.
last seen2020-06-01
modified2020-06-02
plugin id99928
published2017-05-02
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/99928
titleNational Instruments LabVIEW 2015 < 2015 SP1 f7 / 2016 < 2016 f2 LvVarientUnflatten VI File Handling Arbitrary Code Execution
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99928);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2017-2775");
  script_bugtraq_id(97020);

  script_name(english:"National Instruments LabVIEW 2015 < 2015 SP1 f7 / 2016 < 2016 f2 LvVarientUnflatten VI File Handling Arbitrary Code Execution");
  script_summary(english:"Checks the version of National Instruments LabVIEW.");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote Windows host is affected by
an arbitrary code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of National Instruments (NI) LabVIEW installed on the
remote Windows host is version 2015 prior to 2015 SP1 f7 or 2016 prior
to 2016 f2. It is, therefore, affected by an arbitrary code execution
vulnerability in the LvVarientUnflatten functionality due to improper
validation of user-supplied input. An unauthenticated, remote attacker
can exploit this, by convincing a user to open a specially crafted VI
file, to cause a heap-based buffer overflow, allowing the execution of
arbitrary code.");
  script_set_attribute(attribute:"see_also", value:"http://www.ni.com/product-documentation/53294/en/");
  script_set_attribute(attribute:"see_also", value:"http://www.ni.com/product-documentation/53281/en/");
  script_set_attribute(attribute:"see_also", value:"http://www.ni.com/labview/product-lifecycle/");
  script_set_attribute(attribute:"see_also", value:"http://www.talosintelligence.com/reports/TALOS-2017-0269/");
  # http://blog.talosintelligence.com/2017/03/vulnerability-spotlight-code-execution.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d98a385a");
  script_set_attribute(attribute:"solution", value:
"Upgrade to NI LabVIEW version 2015 SP1 f7 (2015.1.7) / 2016 f2
(2016.0.2) or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2775");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/03/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ni:labview");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("labview_installed.nbin");
  script_require_keys("installed_sw/National Instruments LabVIEW", "SMB/Registry/Enumerated");

  exit(0);
}

include('audit.inc');
include('global_settings.inc');
include('install_func.inc');
include('misc_func.inc');
include('smb_func.inc');

get_kb_item_or_exit("SMB/Registry/Enumerated");
arch = get_kb_item_or_exit('SMB/ARCH', exit_code:1);

if (arch == "x86")
  audit(AUDIT_ARCH_NOT, "x64");

app_name = "National Instruments LabVIEW";
install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);

app_arch = install['architecture'];
if (app_arch == 'x86')
{
  audit(AUDIT_INST_VER_NOT_VULN, app_name, app_arch);
}

# application software
version = install['version'];
display_version = install['display_version'];

# run-time engine
rt_ver = install['runtime_version'];
rt_display_ver = install['runtime_display_version'];

path = install['path'];

fix = NULL;
fix_display = NULL;
vuln = FALSE;

if (version =~ "^2015")
{
  # Run-time engine patch
  fix = "2015.1.7";
  fix_display = "2015 SP1 f7";
  version = rt_ver;
  display_version = rt_display_ver;
}
else if (version =~ "^2016")
{
  # Application software patch
  fix = "2016.0.2";
  fix_display = "2016 f2";
}
else
{
  # any version prior to 2015
  if (version =~ "^20(09|1[0-4])|^[78]\.")
  {
    vuln = TRUE;
    fix_display = "2015 SP1 f7";
  }
  else # 2017+
    audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
}

if ( vuln || (ver_compare(ver:version, fix:fix, strict:FALSE) < 0) )
{
  port = kb_smb_transport();
  items = make_array(
    "Path", path,
    "Installed version", display_version,
    "Fixed version", fix_display
  );

  order = make_list("Path", "Installed version", "Fixed version");
  report = report_items_str(report_items:items, ordered_fields:order);
  security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);
}
else
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);

Seebug

bulletinFamilyexploit
description### Summary An exploitable memory corruption vulnerability exists in the LvVarientUnflatten functionality of LabVIEW 2016 version 16.0.0.49152. A specially crafted VI file can cause a user controlled value to be used as a loop terminator resulting in internal heap corruption. An attacker controlled VI file can be used to trigger this vulnerability, exploitation could lead to remote code execution. ### Tested Versions LabVIEW 2016 Evaluation (version 16.0.0.49152) 64-bit only - (only versions prior to LabVIEW 2017 are affected) ### Product URLs http://www.ni.com/labview/ ### CVSSv3 Score 7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-122: Heap-based Buffer Overflow ### Details LabVIEW provides engineers a simple environment to build measurement or control systems. LabVIEW is used to abstract many of the low-level details of various hardware and signal-processing libraries into a single platform. It uses a graphical programming approach to achieve this goal. Modules utilized in this vulnerability: ``` start end module name 00000000`0ae60000 00000000`0b02c000 tdcore_16_0 (deferred) Image path: C:\Program Files\National Instruments\LabVIEW 2016\resource\tdcore_16_0.dll Image name: tdcore_16_0.dll Browse all global symbols functions data Timestamp: Wed Jun 08 11:51:42 2016 (57585B2E) CheckSum: 001CF8D0 ImageSize: 001CC000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 start end module name 00000000`04f70000 00000000`05069000 mgcore_SH_16_0 (deferred) Image path: C:\Program Files\National Instruments\LabVIEW 2016\resource\mgcore_SH_16_0.dll Image name: mgcore_SH_16_0.dll Browse all global symbols functions data Timestamp: Wed Jun 08 11:00:25 2016 (57584F29) CheckSum: 000E3FEE ImageSize: 000F9000 File version: 16.0.0.49152 Product version: 16.0.0.49152 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: National Instruments Corporation ProductName: MGCOREDLL_SH InternalName: MGCOREDLL_SH 16.0.0f0 OriginalFilename: mgcore_SH_16_0.dll ProductVersion: 16.0.0f0 FileVersion: 16.0.0f0 FileDescription: LabVIEW NonUI Managers LegalCopyright: Copyright © 2000-2016 National Instruments Corporation. All Rights Reserved. Comments: 2016/06/08 11:29:22, mgcore_SH_16_0/win64U/x64/msvc90/release ``` During the unflattening of a LvVarient object, a call to `ReadTD` occurs [0]: ``` tdcore_16_0!LvVariant::UnFlatten+0x19c .text:0000000000815281 loc_815281: ; DATA XREF: .rdata:stru_93F5A0o .text:0000000000815281 108 mov rax, [rdi] .text:0000000000815284 108 lea rdx, [rsp+108h+readTD_obj] .text:0000000000815289 108 mov rcx, rdi .text:000000000081528C 108 call qword ptr [rax+0E0h] ; ReadTD [0] ``` During this `ReadTD`, various pieces of the input file is read using `ReadU32` from a `BinDataReader` [1]. This object provides an interface to an open file handle to read input in various formats. In this case, an unsigned 32 bit integer is being read from the file. ``` tdcore_16_0!TDDataReader::ConstructEltTD+0x4c3 TDDataReader::ConstructEltTD(void)+4BA TDDataReader::ConstructEltTD(void)+4BA loc_826C7A: ; CODE XREF: TDDataReader::ConstructEltTD(void)+458j TDDataReader::ConstructEltTD(void)+4BA 0F8 mov rax, [rcx] TDDataReader::ConstructEltTD(void)+4BD 0F8 mov rdx, rdi TDDataReader::ConstructEltTD(void)+4C0 0F8 call qword ptr [rax+78h] ; BinDataReader::ReadU32 [1] TDDataReader::ConstructEltTD(void)+4C3 0F8 test eax, eax TDDataReader::ConstructEltTD(void)+4C5 0F8 jz short loc_826CE7 ``` While parsing the `LastSavedTarget` segment of the input file, four bytes are read which are used as a loop condition in which `ClearMem` is called over chunks of the heap structure internal to LabVIEW. ``` tdcore_16_0!TDArrayBaseImp::PrintDebugStr+0x8f1 .text:000000000083B291 loop: .text:000000000083B291 088 mov rax, [r13+0] .text:000000000083B295 088 mov r10, [r12] .text:000000000083B299 088 mov r9d, 1 .text:000000000083B29F 088 mov rcx, [rax] .text:000000000083B2A2 088 mov r8d, r15d .text:000000000083B2A5 088 mov dword ptr [rsp+88h+var_68], ebp .text:000000000083B2A9 088 lea rdx, [rbx+rcx] .text:000000000083B2AD 088 mov rcx, r12 .text:000000000083B2B0 088 call qword ptr [r10+0B0h] ; Calls ClearMem .text:000000000083B2B7 088 test eax, eax .text:000000000083B2B9 088 jnz short return_result .text:000000000083B2BB 088 movsxd rax, r14d .text:000000000083B2BE 088 inc rdi .text:000000000083B2C1 088 add rbx, rax .text:000000000083B2C4 088 cmp rdi, rsi .text:000000000083B2C7 088 jb short loop .text:000000000083B2C9 counter_terminated: .text:000000000083B2C9 088 xor eax, eax .text:000000000083B2CB 088 jmp short return_result .text:000000000083B2CD return_2: .text:000000000083B2CD 088 mov eax, 2 .text:000000000083B2D2 return_result: .text:000000000083B2D2 088 mov rsi, [rsp+88h+arg_18] tdcore_16_0!TDImpClearMemory+0x5 .text:0000000000821465 000 push rbx .text:0000000000821466 008 sub rsp, 20h .text:000000000082146A 028 mov rax, [rdx] .text:000000000082146D 028 mov r9, rdx .text:0000000000821470 028 mov rbx, rcx .text:0000000000821473 028 xor edx, edx .text:0000000000821475 028 mov rcx, r9 .text:0000000000821478 028 call qword ptr [rax+90h] ; returns 8 .text:000000000082147E 028 mov rcx, rbx ; Internal heap address .text:0000000000821481 028 movsxd rdx, eax ; 8 .text:0000000000821484 028 call ClearMem mgcore_SH_16_0!ClearMem: ClearMem_233168 000 sub rsp, 28h ClearMem_233168+4 028 mov r8, rdx ; Size ClearMem_233168+7 028 xor edx, edx ; Val ClearMem_233168+9 028 call memset ``` In each iteration of the loop, the current internal heap address is cleared in 8 byte chunks and incremented to the next heap address. By supplying an invalid loop termiator, an attacker can clear internal heap chunks which could potentially lead to remote code execution. ### Crash Information ``` rax=000000000bf0c000 rbx=000000000bf0c000 rcx=000000000bf0c000 rdx=0000000000000000 rsi=00000000069390c0 rdi=000000000bf0c000 rip=000000007328e5d0 rsp=000000000042c4c8 rbp=0000000000000000 r8=0000000000000000 r9=0000000000000001 r10=0000000002b0db38 r11=0000000000000000 r12=00000000069390c0 r13=000000000bf07820 r14=0000000000000008 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc MSVCR90+0x1e5d0: 00000000`7328e5d0 488911 mov qword ptr [rcx],rdx ds:00000000`0bf0c000=???????????????? 00000000`7328e5bc 7539 jne MSVCR90+0x1e5f7 (00000000`7328e5f7) 00000000`7328e5be 4d8bc8 mov r9,r8 00000000`7328e5c1 4983e007 and r8,7 00000000`7328e5c5 49c1e903 shr r9,3 00000000`7328e5c9 7411 je MSVCR90+0x1e5dc (00000000`7328e5dc) 00000000`7328e5cb 66666690 xchg ax,ax 00000000`7328e5cf 90 nop MSVCR90+0x1e5d0: 00000000`7328e5d0 488911 mov qword ptr [rcx],rdx ⇐ instruction pointer ``` ### Timeline * 2017-01-13 - Vendor Disclosure * 2017-03-22 - Public Release ### CREDIT * Discovered by Cory Duplantis of Cisco Talos
idSSV:96545
last seen2017-11-19
modified2017-09-20
published2017-09-20
reporterRoot
titleNational Instruments LabVIEW LvVarientUnflatten Code Execution Vulnerability(CVE-2017-2775)

Talos

idTALOS-2017-0269
last seen2019-05-29
published2017-03-22
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0269
titleNational Instruments LabVIEW LvVarientUnflatten Code Execution Vulnerability