When we think about CAD software, security isn't always top of mind. But as tools like Autodesk AutoCAD grow in popularity, they become attractive targets for hackers. CVE-2024-23136 is a real-world example of this—a critical vulnerability hiding in the parsing logic of ASMKERN228A.dll, which AutoCAD uses to handle STP (STEP) files.
In this long read, we'll break down what CVE-2024-23136 is, how an attacker can exploit it using a specially crafted STP file, look at code snippets and the technical mechanics, and where to find more information. By the end of this post, you'll understand why even opening a file can sometimes be dangerous.
What is CVE-2024-23136?
Simply put, CVE-2024-23136 is a flaw in AutoCAD's ASMKERN228A.dll library. When AutoCAD imports or parses a maliciously-crafted STP file (an industry-standard 3D object and CAD format), the program doesn't properly validate certain pointers. This opens the door for a hacker to "dereference" an untrusted pointer, which means they can make the application access memory it shouldn't—which can result in running attacker-supplied code.
In other words, you could simply double-click a malicious STP file sent to you, and—if you have an affected version—the attacker could run whatever code they want on your machine, with your privileges.
Understanding the Vulnerability
STP files are plaintext and describe 3D models in a structured, but often complex, way. When a user imports an STP file, AutoCAD's ASMKERN228A.dll parses the content and converts it into its own data structures for 3D rendering. Somewhere in this parsing logic, it mishandles an internal pointer, based on untrusted data from the file.
The Underlying Problem
The core issue is untrusted pointer dereference.
- Untrusted pointer dereference: The application uses a value from the file as a memory address (pointer) and tries to access it, trusting the file's content.
- Attackers can craft a STP file that puts a specific value where the pointer is expected, pointing it to attacker-controlled data.
Let’s look at what goes wrong, using simplified pseudocode to illustrate the risky behavior
// Pseudo code representing risky logic in ASMKERN228A.dll
void parseStepFile(const char* stepData) {
// ... some parsing logic ...
int* pointerFromFile = extractPointer(stepData); // Should NOT trust file for a pointer
if (pointerFromFile != NULL) {
processData(*pointerFromFile); // Dereferences what could be an attacker-controlled location
}
}
A normal file would never put an invalid pointer here. But an attacker modifies the STP file so this pointer points to a memory location where they've orchestrated harmful payloads. When this code runs, it executes the attacker's code in the memory space of AutoCAD.
Proof-of-Concept STP Payload
Because exact memory layouts change with operating systems and AutoCAD versions, a real-life working exploit would require knowing addresses and precise layout. However, a simplified (harmless) malicious STP file might look like this—intending to crash the application, or if the attacker is smart, to control execution flow.
ISO-10303-21;
HEADER;
FILE_DESCRIPTION(('Malicious STP file that exploits CVE-2024-23136'),'1');
FILE_NAME('exploit.stp','2024-04-06T12:00:00',('attacker'),'','Autodesk AutoCAD','ASMKERN228A.dll','');
FILE_SCHEMA(('AUTOCAD_SCHEMA'));
ENDSEC;
DATA;
#100 = MALICIOUS_ENTITY('AAAAAAAA', xDEADBEEF); // xDEADBEEF is a guessed pointer
#101 = ANOTHER_ENTITY(#100, ...);
ENDSEC;
END-ISO-10303-21;
*Note: Exploiting this in practice means intense reverse engineering, but the structure is that simple!*
Here’s a generic flow of how an attacker would exploit CVE-2024-23136
1. Craft a Malicious STP File: The attacker engineers an STP file with carefully chosen data in the fields that will be parsed as pointers.
2. Deliver to Victim: Via email, file sharing, or a drive-by download, the attacker tricks a target into opening the file.
User Opens File in AutoCAD: The program loads ASMKERN228A.dll to parse the file.
4. Pointer Dereferenced: The malicious pointer in the file causes the program to access out-of-bounds or attacker-influenced memory.
5. Attacker’s Code Executes: Depending on privileges, the attacker gains control of the system, possibly installing malware, spyware, or opening a reverse shell.
No warnings: Just opening the file triggers the exploit.
- Trusted workflow: Engineers and architects regularly import files from clients and collaborators.
Mitigations
- Update: Autodesk has patched this vulnerability ([see below](#links-to-references)). Upgrade AutoCAD and all related libraries as soon as possible.
Links to References
- Autodesk Security Advisory for CVE-2024-23136
- MITRE CVE Entry
- Autodesk Product Updates
- STEP File Format Reference (Wikipedia)
Conclusion
CVE-2024-23136 is a classic example of how even "safe" formats can be exploited if the program reading them trusts input too much. AutoCAD users should update immediately, and IT should consider file-based threats—especially with complex file types like STP. Remember: never trust a file just because it seems like "just a drawing."
Stay safe, and keep your software patched.
*Written exclusively for you by AI—feel free to share and help others stay aware!*
Timeline
Published on: 02/22/2024 05:15:09 UTC
Last modified on: 08/01/2024 13:47:08 UTC