CVE-2024-23128 - Memory Corruption in Autodesk via Malicious MODEL Files – Technical Deep Dive & Exploitation

CVE-2024-23128 is a critical vulnerability affecting multiple Autodesk applications. At its heart is a memory corruption issue, specifically a write access violation, that occurs when handling specially crafted .MODEL files. The vulnerability exists in the DLLs libodxdll.dll and ASMDATAX229A.dll, which are integral to parsing these files.

If exploited, this flaw can allow attackers to manipulate memory – and potentially achieve arbitrary code execution in the context of the current user. In this article, we'll break down how the vulnerability works, show you the vulnerable code pattern, discuss exploitation tactics, and suggest protections.

What is CVE-2024-23128?

When an Autodesk product (such as AutoCAD or its OEM derivatives) parses a malicious .MODEL file, it may call into code in libodxdll.dll and/or ASMDATAX229A.dll that doesn’t properly check bounds or input validity. This can allow an attacker to overwrite memory, causing an access violation – and, with the right strategy, take control over program execution.

Where’s the Vulnerable Code?

Let’s take a look at a simplified code snippet illustrating the problem. The core issue is a missing bounds check before writing data parsed from the .MODEL file.

Vulnerable Pattern (Pseudocode)

void parseObject(FILE *f, ObjectData *target) {
    // ... previous code ...
    size_t len;
    fread(&len, sizeof(size_t), 1, f);
    if (len >= MAX_SIZE) { // but what if MAX_SIZE is not enough?
        // Intended bounds check, but value might still be huge
    }
    char *buffer = malloc(len);
    fread(buffer, 1, len, f);             // No check on read success
    memcpy(target->data, buffer, len);    // Potential buffer overflow!
    free(buffer);
}

In practice, fuzzers found that a specially crafted .MODEL file could provide a huge length (len) value, causing an overwrite of memory beyond target->data. This is a classic vector for memory corruption exploits, and, consequently, this function – or equivalent logic in the real DLL – is not safe.

2. Triggering the Vulnerability

When the file is opened in Autodesk software, the vulnerable library allocates inadequate memory or writes past the legitimate buffer's boundaries, corrupting adjacent memory.

With simple crashing, an attacker can deny service.

- With knowledge of memory layout (via ASLR bypass, etc.) or in conjunction with other vulnerabilities (like info leaks), the aggressor can hijack execution flow (e.g., by overwriting a function pointer or structured exception handler).

Sample Exploit Skeleton (Python POC)

# Generate malicious .MODEL file for CVE-2024-23128
with open('crash.model', 'wb') as f:
    f.write(b'\x41' * 256)  # header
    f.write((x100).to_bytes(4, 'little'))  # maliciously large size
    f.write(b'\x90' * x100)  # padding (filled with NOPs or shellcode)

Note: This POC demonstrates how an attacker might generate an input file that results in memory corruption. In the wild, a real exploit would include crafted payloads for code execution.

Denied Service: Most crashes will simply close Autodesk software, potentially losing user data.

- Arbitrary Code Execution: Advanced attacks can chain this bug with other vulnerabilities for stable, targeted attacks; for example, using information disclosure bugs or exploiting uninitialized pointers.
- Widespread Risk: Any Autodesk app using libodxdll.dll or ASMDATAX229A.dll to parse .MODEL files is potentially at risk.

Remediation & Mitigation

- Patch Now: Follow Autodesk’s security advisory and update all affected software to the latest, patched versions.
- Autodesk Security Advisories

File Origin: Avoid opening .MODEL files from untrusted or unknown sources.

- Network Segmentation: Consider running vulnerable programs in sandboxes or with least privilege until update is possible.

References

- Autodesk Security Advisory: ADV-2024-0002
- MITRE CVE Record: CVE-2024-23128
- Exploit Database: Recent Autodesk Exploits

Conclusion

CVE-2024-23128 is a severe vulnerability in Autodesk’s file parsing libraries. By simply opening a poisoned .MODEL file, users could lose data or, worse, allow attackers to fully hijack their computer. The lesson: never open files from uncertain sources and install security updates promptly.

Stay sharp – and keep your software patched!

If you’re a security engineer or Autodesk admin, monitor for this vuln, and spread the word to your teams. For researchers: always fuzz bespoke file formats and test for boundary errors like this!

Timeline

Published on: 02/22/2024 04:15:08 UTC
Last modified on: 08/01/2024 13:47:07 UTC