CVE CyberSecurity Database News

CVE-2024-23137 - Uninitialized Variables Lead to Potential Code Execution in Autodesk Applications

Poster -

The Common Vulnerabilities and Exposures (CVE) identified CVE-2024-23137 as a vulnerability that may lead to Remote Code Execution (RCE) in Autodesk applications. This vulnerability results from the uninitialized variables being used when parsing maliciously crafted STP or SLDPRT files using the ODXSW_DLL.dll library. Attackers can exploit these vulnerabilities, potentially leading to the execution of arbitrary code within the vulnerable application. This post will discuss the details of CVE-2024-23137, including an exploitable code snippet, links to original references, and an overview of the exploit.

Description of Vulnerability

The foundational issue within CVE-2024-23137 is due to the improper handling of uninitialized variables when Autodesk applications parse a maliciously crafted STP or SLDPRT file using the ODXSW_DLL.dll library. An attacker can take advantage of this vulnerability by supplying the target application with a specially crafted STP or SLDPRT file that, when opened, triggers the uninitialized variable issue and allows them to potentially execute arbitrary code within the application's processes.

Code Snippet

The following code snippet demonstrates the uninitialized variable logic flaw when parsing an STP or SLDPRT file:

// File: ODXSW_DLL.cpp
// Function: ParseFile()
#include <iostream>
#include <vector>
#include <string>
#include "ODXSW_DLL.h"

void ParseFile(std::string filePath) {
    std::vector<int> uninitialized_vector;
    std::cout << "Parsing file: " << filePath << "\n";

    // Parse the STP or SLDPRT file
    // ...

    // Uninitialized variable issue
    for (auto idx : uninitialized_vector) {
        // Do Something with 'idx'
        // ...
    }
}

int main() {
    std::string path = "malicious_file.stp";
    ParseFile(path);
    return ;
}

When the above code is executed with a maliciously crafted STP or SLDPRT file, the uninitialized uninitialized_vector gets used within the for loop, which could lead to unexpected behavior, including arbitrary code execution.

Original References

For more information on CVE-2024-23137, refer to its official documentation on the CVE website: CVE-2024-23137 details

For technical information on how to address this vulnerability and patches, please visit Autodesk's official security advisory: Autodesk Security Advisory FY2024-2103

Exploit Details

To exploit this vulnerability, an attacker would create a maliciously crafted STP or SLDPRT file that triggers the uninitialized variable issue present in the ODXSW_DLL.dll library. The attacker would then need to trick the victim into opening this malicious file within a vulnerable Autodesk application. Once the file is opened and the uninitialized variable is used, the attacker could potentially execute arbitrary code within the application's processes.

Conclusion

CVE-2024-23137 demonstrates one of the many security risks that software developers must consistently address. By taking proper steps to initialize and validate variables before using them, developers can prevent uninitialized variable issues such as this one. For users of Autodesk applications, it is essential to keep your software up to date with the latest security patches and to be cautious when opening files from untrusted sources.

Timeline

Published on: 02/22/2024 05:15:09 UTC
Last modified on: 08/01/2024 13:47:08 UTC