CVE-2024-23129 - Memory Corruption in opennurbs.dll via Crafted 3DM, STP, or SLDASM Files – Exploit Details and Analysis

---

Summary:
CVE-2024-23129 is a serious vulnerability that affects multiple Autodesk applications due to unsafe parsing of 3D model files like 3DM, STP, or SLDASM using the opennurbs.dll library. By crafting a malicious file, attackers can cause a write access violation, leading to memory corruption. If combined with other vulnerabilities, this bug can allow remote code execution (RCE) within the process, potentially letting attackers run arbitrary code on your system.

What is CVE-2024-23129?

CVE-2024-23129 is a memory corruption vulnerability in the opennurbs.dll component—a library responsible for parsing 3D model formats such as Rhino’s 3DM, STEP/STP, and SolidWorks SLDASM. This DLL is widely included in Autodesk products like Autodesk 3ds Max, Fusion 360, and AutoCAD.

Attackers can craft a special 3DM, STP, or SLDASM file so that when an Autodesk application tries to open or import it, an out-of-bounds write occurs. This can lead to a crash or, if chained with other bugs (like bypassing Data Execution Prevention or Address Space Layout Randomization), can allow arbitrary code execution.

How Does the Exploit Work?

When you open a malicious file in an affected Autodesk application, the app delegates parsing duties to opennurbs.dll. Malformed data inside the file tricks the DLL into writing data to unexpected memory addresses—a classic write access violation.

Trigger a crash (Denial of Service).

- In the worst case, allow further exploitation, letting unwanted code run with the rights of the user.

Simplified Exploit Flow

1. Attacker crafts a malicious 3DM/STP/SLDASM file

User opens the file in a vulnerable Autodesk app

The vulnerable DLL parses the file, hits a bug, and writes data to an invalid or dangerous memory region.

Impact

Memory corruption leads to a crash. When chained with other bugs (like a memory leak or execution redirection), the hacker gets code execution.


## Example (Hypothetical/Pseudocode)

Below is a simplified and hypothetical demonstration of what happens inside the DLL

// Example: Vulnerable copy operation in opennurbs.dll
void ReadModelData(FILE *input) {
    char buffer[128];
    unsigned int length;
    fread(&length, sizeof(length), 1, input); // User-controlled length from file
    fread(buffer, 1, length, input); // No check: if length > 128 => buffer overflow!
}

If the attacker sets length to, say, 500, this code writes past the buffer, corrupting memory.

Any tool relying on opennurbs.dll for model import

*Not all versions are affected. Check Autodesk advisories for specifics.*

`

2. Send the file to a target user/employee.

References and Original Advisories

- NIST NVD: CVE-2024-23129
- Autodesk Security Advisory
- OpenNURBS Homepage
- Rhino 3DM File Format
- General Guide On File Format Exploitation (Project Zero)

Mitigation & Solutions

- Update your software! Autodesk has provided updates for vulnerable applications. Visit their Security Advisories page.
- Avoid opening files from unknown sources. Reject any suspicious 3DM/STP/SLDASM files, especially from unsolicited emails or downloads.

Conclusion

CVE-2024-23129 shows how a single unchecked file input in a widely used modeling library can compromise the security of entire creative workflows. While the exploit often needs to be chained with other bugs for full code execution, any crash from a bad file is a danger signal.

Stay safe: keep your Autodesk products up-to-date and be careful with 3D model files from untrusted sources.

Timeline

Published on: 02/22/2024 04:15:08 UTC
Last modified on: 08/01/2024 13:47:07 UTC