CVE-2024-23131 - Memory Corruption in Autodesk DLLs via Malicious STP File – Detailed Breakdown and Exploit Insights

The design and architecture industries rely heavily on Autodesk applications for handling 3D data, such as drawings and models shared through the STP or STEP file format. Unfortunately, a recent security finding, labeled CVE-2024-23131, exposes a severe memory corruption vulnerability in multiple Autodesk DLLs when parsing specially crafted STP files. Here's an exclusive, in-depth exploration of this flaw – how it works, proof-of-concept exploit details, mitigation steps, and original references.

Understanding the Vulnerability

CVE-2024-23131 affects the following DLLs used by Autodesk products (such as Autodesk AutoCAD, Inventor, Revit, and others):

ASMDATAX228A.dll

When a user opens a malicious STP file, these DLLs handle the parsing and import of the 3D data. Due to improper validation, a specially crafted input can cause a write access violation, ultimately leading to memory corruption. In software security, such flaws often serve as a doorway to more serious exploits, particularly arbitrary code execution under the current user context.

Core problem

> *A maliciously crafted STP file, when parsed in these DLLs, can lead to a memory corruption vulnerability by write access violation. This vulnerability, in conjunction with other vulnerabilities, can lead to code execution in the context of the current process.*

Vulnerable Function Flow (Simplified)

Based on crash log reviews and fuzzing results, such vulnerabilities often occur in code that processes field lengths or object references within the STP data, like this (pseudo-code in C/C++):

// Hypothetical parsing logic
void parseSTPElement(char *buffer) {
    int field_length = *(int *)(buffer + OFFSET);
    char destination[128];

    // No length check!
    memcpy(destination, buffer + DATA_START, field_length);
}

If an attacker specifies a field_length larger than destination, the later call to memcpy writes past the buffer, corrupting memory.

Exploitability

While this bug alone is a memory bug, when chained (for example, with a heap spray and a pointer overwrite primitive), it can reliably lead to:

Proof-of-Concept (PoC) Exploit Example

Below is a simple concept that demonstrates how malformed STP data may trigger the vulnerability. (Note: This is illustrative pseudo-STP, actual attack files are more complex and may require file-format expertise.)

ISO-10303-21;
HEADER;
FILE_DESCRIPTION(('Example exploit'),'1');
ENDSEC;
DATA;
#10=PRODUCT('X','Y','Z',(#11));
#11=PRODUCT_CONTEXT('test','','#99999999');  // Malformed reference
ENDSEC;
END-ISO-10303-21;

The #99999999 reference is intentionally invalid and out of bounds.

- ASM-based Autodesk parsers may dereference or mishandle this value, especially if input size checks are missing, causing heap corruption.

Observe a crash or abnormal behavior.

NOTE: Do not open strange STP files on production machines – this procedure is for security researchers in controlled environments only.

Attackers may

- Craft STP/STEP files with malformed entity lengths or references.

Distribute these by email or file sharing, posing as legitimate designs.

- When the target opens the file, it may crash the application or, if chained with further bugs, allow running malware on the user’s machine.

Often, the attack is stealthy, requiring only that the victim open a file or preview it.

Autodesk’s Official Guidance

Autodesk has released security advisories and patches for affected applications. Always refer to their latest bulletins.

- Autodesk Security Advisory (CVE-2024-23131)
- CVE-2024-23131 NVD Entry

Update all Autodesk products to the latest released versions.

- Avoid opening STP/STEP files from unknown sources.

For Developers

If you create file parsers or plugins, always validate external data. Use safe length checks before copying or referencing data.

Example, in C/C++ (safe programming style)

void parseSTPElement(char *buffer, size_t buf_length) {
    int field_length = *(int *)(buffer + OFFSET);
    if (field_length > 128 || field_length < ) {
        // Reject malformed
        return;
    }
    char destination[128];
    memcpy(destination, buffer + DATA_START, field_length);
}

References

- Autodesk Security Advisory – CVE-2024-23131
- National Vulnerability Database – CVE-2024-23131
- Autodesk Product Security Updates
- STEP File Format Documentation (ISO 10303-21)

Final Thoughts

CVE-2024-23131 is a reminder that file import features, especially for complex formats like STP/STEP, are major attack targets. Even in modern commercial software, diligent input validation is essential. If you use Autodesk software, patch now. If you process CAD files programmatically, audit your code for buffer overwrites and fuzz it with malformed input.

Timeline

Published on: 02/22/2024 04:15:08 UTC
Last modified on: 08/01/2024 13:47:07 UTC