CVE-2024-23134 - Autocad IGS File Parsing UAF to Code Execution in tbb.dll

Autodesk AutoCAD is one of the most popular CAD programs in the world, used by millions for designing architecture, engineering, and manufacturing plans. But as with any large software, vulnerabilities can lurk beneath the surface. In early 2024, a critical vulnerability—CVE-2024-23134—was patched. This flaw concerns how AutoCAD handles certain IGS files, involving a use-after-free in the tbb.dll component. In this post, we’ll break down this security issue, how exploitation works, and what you need to know to stay safe.

What is CVE-2024-23134?

CVE-2024-23134 describes a use-after-free (UAF) vulnerability found in *Autodesk AutoCAD* versions prior to the security update, specifically in the tbb.dll library. An attacker can craft a specially designed IGS (IGES) file that triggers a double-free or use-after-free scenario during file parsing.

When AutoCAD parses the file, it frees up certain memory used for managing vector or geometry data in tbb.dll—but then it keeps using that memory. If the attacker has controlled the content of that memory (using the IGS file), they now influence the program’s flow. This type of vulnerability can be weaponized to gain *arbitrary code execution* under the security context of the current user.

Other Autodesk products embedding vulnerable tbb.dll

Original reference:
- Autodesk Security Advisory (CVE-2024-23134)

When loaded, tbb.dll allocates a memory object for IGS vector geometry.

4. The IGS payload triggers a scenario where the object is freed twice or used after being freed.
5. If the attacker controls what’s in that memory (heap spray or reallocation), the code execution occurs.

Autodesk uses the Intel TBB (Threading Building Blocks) library for parallelized tasks. Improper handling of deletion in tbb.dll can cause unsafe memory operations.

To illustrate, here’s a pseudocode snippet that demonstrates the bug

// (Simplified logic based on public symbols and analysis)
IGS_Object* obj = tbb_allocate_IGS_obj();
parse_IGS_data(obj, file_data);
free(obj);             // First free
...                    // Some operation
use(obj->vector);      // Use after free!

In practice, a malicious IGS file would craft vector data that, when freed and re-used, lets the attacker hijack the flow—redirecting execution to their attacker-controlled code.

IGS File Example (simplified)

// This is not an actual exploit but shows how vector data may be crafted

106,100,,,1;  // Sample entity (may trigger the bug in tbb.dll)
110,1,,,8;    // Payload data
...

A real-world exploit would likely heap-spray shellcode before opening the IGS file, hoping the freed memory is reallocated with that data.

Privilege escalation: Limited to user’s current privileges

- Exploitation ease: Medium (needs custom IGS file, but several researchers have shown similar bugs are viable)

- AutoCAD Security Updates

- CVE Record: CVE-2024-23134
- Autodesk Advisory
- TBB Library Github
- Understanding Use-After-Free

Conclusion

CVE-2024-23134 is a stark reminder that even industry-leading software like AutoCAD can have critical vulnerabilities, especially when parsing complex external files. If you use AutoCAD—or receive designs from others—always keep your software up-to-date. Never trust files from unknown sources, and educate your team about how easily a simple file can compromise an entire workstation.

Timeline

Published on: 02/22/2024 05:15:09 UTC
Last modified on: 08/01/2024 13:47:08 UTC