AutoCAD 2013 G.55.0.0 Untrusted Search Path

==========================================================================
Two Vulnerabilities of AutoCAD: CVE-2014-0818 and CVE-2014-0819
  Mar 16, 2014
  @kaito834
==========================================================================

------------------------
Overview
------------------------

AutoCAD 2013 and earlier version contained untrusted search path vulnerabilities.
When the AutoCAD load FAS or DLL file, the AutoCAD search these files on current 
working directory. Therefore, attacker or malware could load own FAS or DLL?file
when AutoCAD user opened DWG file on a directory stored these DLL or FAS file.
The vendor, Autodesk, Inc, fixed these vulnerabilities in AutoCAD 2014.

These vulnerabilities were assigned CVE-2014-0818 and CVE-2014-0819.

CVE-2014-0818/JVN#33382534
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0818
https://jvn.jp/en/jp/JVN33382534/

CVE-2014-0819/JVN#43254599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0819
https://jvn.jp/en/jp/JVN43254599/

------------------------
Background
------------------------

On June 2012, ESET posted blog entry (*1) about ACAD/Medre.A, a worm written in
AutoLISP. The blog entry explained the malware abused automatic loading of
AutoLISP routines. I interested in search path of AutoCAD and consulted AutoCAD
official document. And, I confirmed that AutoCAD search AutoLisp code firstly
on current working directory (*2) if AutoLisp code was loaded by only filename.

As a result, I wrote a Proof of Concept based the ESET blog entry and reported
malware issue as untrusted search path vulnerability to IPA (*3).

(*1): http://www.welivesecurity.com/2012/06/21/acadmedre-a-technical-analysis-2/
(*2): http://exchange.autodesk.com/autocad/online-help/browse#WS73099cc142f4875516d84be10ebc87a53f-7872.htm (Japanese)
(*3): INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN
      http://www.ipa.go.jp/security/english/third.html

------------------------
Procedure for reproducing issue
------------------------

I confirmed this procedure on AutoCAD 2013, version G.55.0.0.

(1) Launch AutoCAD 2013 and saved empty dimensional design data as
    Drawing1.dwg. Then, store the Drawing1.dwg with PoC code,
    Acad.fas (*4), on C:\exploit.
    http://f.hatena.ne.jp/kaito834/20140222203210

(2) After Process Monitor (*5) is launched, open Drawing1.dwg by double-click.

(3) Launched AutoCAD 2013, and launched calc.exe at same time.
    http://f.hatena.ne.jp/kaito834/20140222203211

    Then, look up Process Monitor and you can confirm that Acad.fas is loaded
    on current working directory stored Drawing1.dwg.
    http://f.hatena.ne.jp/kaito834/20140222203212

    And, look up [Event Properties] - [Stack] of Process Monitor and
    you can see that accore.dll load Acad.fas.
    http://f.hatena.ne.jp/kaito834/20140222203213

(*4): PoC code is not explained this advisory. Please contact to me
      if you were interested in PoC.
(*5): http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

------------------------
Timeline
------------------------

Jul  3, 2012   I reported the vulnerability to IPA by email, and
               IPA responded that we received the vulnerability report.
Aug  6, 2012   IPA informed me that we confirmed the report and submitted
               to vendor, Autodesk, Inc, by email.
mid-Aug 2012   The vendor released AudoCAD 2013 Service Pack 1(SP1)
               that provided new security feature; see Reference.               
Apr  4, 2013   I inquired at IPA whether the vunlerability was fixed
               or not by email.
Apr 18, 2013   IPA answered to me that the vendor released SP1 and
               would fix the vulnerability in the future by email.
May 11, 2013   I inquired at IPA whether CVE-2014-0818 was fixed, and
               CVE-2014-0819 was not fixed by email.
May 22, 2013   IPA answered to me that CVE-2014-0818 and CVE-2014-0819
               were not fixed, and would be fixed in the future by email.
Aug 22, 2013   I inquired at IPA whether the vulnerability and CVE-2013-3665
               were different or not by email.
               https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3665
Sep  4, 2013   IPA responded to me that we were waiting for reply from 
               vendor by email.
mid-Sep 2013   IPA answered to me that the vulnerability and CVE-2013-3665
               were different by email.
Feb 21, 2014   The vendor fixed CVE-2014-0818 and CVE-2014-0819, and
               IPA puslished the advisories: JVN#33382534 and JVN#43254599.

------------------------
Reference
------------------------

* Hatena Diary(my blog post in Japanse)
http://d.hatena.ne.jp/kaito834/20140223/1393145077

* Autodesk, Inc
http://knowledge.autodesk.com/support/autocad/troubleshooting/caas/sfdcarticles/sfdcarticles/AutoLISP-and-VBA-Security-Controls-in-AutoCAD-2013-SP1.html

* Vulnerability related to CVE-2014-0818
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3360
http://www.exploit-db.com/exploits/18125/

==========================================================================