CVE-2024-23137 - How Malicious STP and SLDPRT Files Can Exploit Uninitialized Variables in Autodesk ODXSW_DLL.dll

A new vulnerability, CVE-2024-23137, has been identified in Autodesk products that make use of the ODXSW_DLL.dll component. By tricking the application into loading a specially crafted STP or SLDPRT file, attackers can exploit uninitialized variables in the DLL. This opens the door for remote code execution (RCE) within the current process, potentially allowing attackers to run any code they like in the context of the user.

In this post, I’ll break down this vulnerability in plain English, illustrate how it works, provide a proof-of-concept code snippet, and share mitigations and references for further reading.

Vulnerable Software

CVE-2024-23137 affects Autodesk products that parse STP (STEP) and SLDPRT (SolidWorks Part) files using the ODXSW_DLL.dll plugin. This DLL is part of the translation capabilities inside popular 3D CAD applications such as:

Inventor

These applications support importing third-party CAD files, making them attractive targets for embedding malicious payloads.

Exploit Summary

A specially-crafted CAD file (.stp or .sldprt) exploits poor memory initialization in the DLL. If a user opens such a file, the software may access or execute arbitrary memory, leading to code execution with the user’s permissions.

Why is this Dangerous?

- Remote code execution: An attacker can run their own code, steal data, install malware, or even take over the whole workstation.

Stealthy delivery: Just opening a 3D file in a design app is enough.

- Supply-chain threat: A malicious CAD file could be distributed in online collaboration, design libraries, or email attachments.

How Does the Exploit Work?

At its core, the problem is uninitialized variables in ODXSW_DLL.dll. When the parser encounters certain file structures, it handles memory incorrectly, using data that hasn’t been properly set up (initialized). An attacker can carefully craft a CAD file to layout the data structure in a way that the program will execute attacker-controlled content.

Let’s break it down

1. Malicious STP/SLDPRT file: Contains payload data in locations that affect how the DLL allocates or interprets memory.

File Loading: Victim opens the crafted file in an affected Autodesk application.

3. ODXSW_DLL.dll Parsing: While parsing the file, due to improperly initialized local or member variable(s), the DLL may misinterpret part of the CAD file as data or executable code.

Proof-of-Concept (PoC) Example

Below is an example snippet of a (simplified) code pattern that could exist in a vulnerable library:

// Vulnerable code in ODXSW_DLL.dll (not actual source)
void CADFileParser::ParsePartBlock(const ByteArray& block) {
    int blockType; // <-- Uninitialized!
    // ... omitted code ...
    if (blockType == EXPECTED_PART_BLOCK) {
        // use blockType for decision...
        // process part data (might dereference invalid memory, bad pointer, etc.)
    }
}

An attacker’s custom SLDPRT file could try to fill the file buffer in a way that tricks the DLL into thinking blockType points to attack-controlled data. By manipulating offsets in the file, this can pivot execution to shellcode or unexpected data.

Creating a Malicious CAD File

Below is a fictional example (do not use maliciously) of stuffing a payload in STEP file comments, hoping to trigger the bug:

ISO-10303-21;
HEADER;
FILE_DESCRIPTION(('Example exploit'), '1');
FILE_NAME('malicious_step.stp', ... );
FILE_SCHEMA(('AUTODESK_STP'));
// Large block of junk, possible shellcode follows:
DATA;
#10 = PART('AAAAAAAAAAAAAAAAAAA...');
#11 = COMMENT('AAA...<malicious payload>...BBB');
ENDSEC;
END-ISO-10303-21;

Note: Real exploit development requires reverse engineering the DLL to find exact triggers, offsets, and shellcodes.

Example Exploit Skeleton (Local Code Execution)

# This is a pseudo-exploit for demonstration only
filename = "exploit.sldprt"

with open(filename, "wb") as f:
    # Fill with junk up to known vulnerable offset
    f.write(b"A" * 512)
    # Insert a value that, after file is loaded, results in uninitialized jump
    f.write(b"\x90" * 16)   # NOP sled
    f.write(b"\xcc" * 4)    # Breakpoint (int3) - simulates shellcode
    # More junk as necessary
    f.write(b"B" * 100)

print(f"Malicious file {filename} ready (for test only)")

Replace with actual exploits as discovered by researchers. The key is controlling memory near where the uninitialized variable is later used.

Update your Autodesk products:

Apply the most recent security patches from Autodesk’s support page.

Block untrusted macros and scripts:

Disable, if possible, unknown or unverified plugins/add-ons.

References

- Autodesk Security Advisory: CVE-2024-23137
- CVE Record: CVE-2024-23137
- STEP File Format Reference
- SLDPRT File Format Specification (SolidWorks)
- Understanding Uninitialized Variable Exploits

Conclusion

CVE-2024-23137 is another example of the dangers of parsing complex file types with libraries that don’t initialize memory safely. If you use any Autodesk CAD products, update them immediately and always be wary of files from unknown sources. While the technical details require a deep understanding to exploit, the attack itself is as simple as opening the wrong file.

Stay safe, patch up, and let your security team know about CVE-2024-23137 today!


*This post is an exclusive educational summary and does not contain any dangerous actual exploits. Always act responsibly and report real vulnerabilities to affected vendors.*

Timeline

Published on: 02/22/2024 05:15:09 UTC
Last modified on: 08/01/2024 13:47:08 UTC