pgrade your autocad or DWG relatred software:
Original advisory:
http://usa.autodesk.com/adsk/servlet/ps/dl/item?id=21972896&linkID=9240618&siteID=123112
============================================
Title: AutoCAD DWG-AC1021 Heap Corruption
Product: Autodesk AutoCAD
Advisory ID: BINA-20130724
CVE ID: CVE-2013-3665
Class: Boundary Error Condition (Buffer Overflow)
Vulnerability class: Client side/ file format
Permalink: http://binamuse.com/advisories/BINA-20130724.txt
Vendor notified on: 2013-03-27
Patch/Fix Released: 2013-07-10
Advisory Published: 2013-07-24
Vulnerability Description:
AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the world leading CAD design tools. It is developed and sold by Autodesk, Inc.
AutoCad is vulnerable to an arbitrary pointer dereference vulnerability, which
can be exploited by malicious remote attackers to compromise a user's system.
This issue is due to AutoCad's failure to properly bounds-check data in a DWG
file before using it to index and copy heap memory values. This can be exploi-
ted to execute arbitrary code by opening a specially crafted DWG file, version
AC1021.
This version was the native fileformat of AutoCAD Release 2007. New versions of
the format emerged but AC1021 is still supported in modern AutoCADs for
back-
ward compatibility.
Vulnerable Packages:
AutoCAD(R) 2014
AutoCAD(R) 2013
AutoCAD(R) 2012
AutoCAD(R) 2011
AutoCAD(R) Architecture 2014
AutoCAD(R) Architecture 2013
AutoCAD(R) Architecture 2012
AutoCAD(R) Architecture 2011
AutoCAD(R) Civil 3D(R) 2014
AutoCAD(R) Civil 3D(R) 2013
AutoCAD(R) Civil 3D(R) 2012
AutoCAD(R) Civil 3D(R) 2011
AutoCAD(R) ecscad 2014
AutoCAD(R) ecscad 2013
AutoCAD(R) ecscad 2012
AutoCAD(R) ecscad 2011
AutoCAD(R) Electrical 2014
AutoCAD(R) Electrical 2013
AutoCAD(R) Electrical 2012
AutoCAD(R) Electrical 2011
AutoCAD LT(R) 2014
AutoCAD LT(R) 2013
AutoCAD LT(R) 2012
AutoCAD LT(R) 2011
AutoCAD(R) Map 3D 2014
AutoCAD(R) Map 3D 2013
AutoCAD(R) Map 3D 2012
AutoCAD(R) Map 3D 2011
AutoCAD(R) Mechanical 2014
AutoCAD(R) Mechanical 2013
AutoCAD(R) Mechanical 2012
AutoCAD(R) Mechanical 2011
AutoCAD(R) MEP 2014
AutoCAD(R) MEP 2013
AutoCAD(R) MEP 2012
AutoCAD(R) MEP 2011
AutoCAD(R) P&ID 2014
AutoCAD(R) P&ID 2013
AutoCAD(R) P&ID 2012
AutoCAD(R) P&ID 2011
AutoCAD(R) Plant 3D 2014
AutoCAD(R) Plant 3D 2013
AutoCAD(R) Plant 3D 2012
AutoCAD(R) Plant 3D 2011
AutoCAD(R) Structural Detailing 2014
AutoCAD(R) Structural Detailing 2013
AutoCAD(R) Structural Detailing 2012
AutoCAD(R) Structural Detailing 2011
AutoCAD(R) Utility Design 2014
AutoCAD(R) Utility Design 2012
DWG TrueView(TM) 2014
DWG TrueView(TM) 2013
DWG TrueView(TM) 2012
DWG TrueView(TM) 2011
Not Vulnerable Packages:
None
Solution/Vendor Information/Workaround:
http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe
Credits:
This vulnerability was found by Joshep J. Cortez Sanchez of the
Binamuse Vulnerability Research Team, http://binamuse.com
Technical Description:
The R2007 dwg format is composed by sections and pages. Sections come in
two
flavors system sections and data sections. The system sections contain
informa-
tion about where the data sections and their pages are in the file.
The system sections are built based in two main data structures: a first
header
and a second header. In addition, there are two important sections in the
file
structure, the page map and the section map. Each one of this sections
should
be decoded using Reed Solomon algorithm and optionally be compressed with a
proprietary algorithm (which we will ignore).
The file structure looks like this:
+------DWG-----------------------------------------------------------------+
| +-----------------+ +-------------+
+------------------+ |
| | 1st Header | | Page Map | | Sections Map
| |
| +--+--------------+ +-------------+
+------------------+ |
+--- |
--------------------------------------------------------------------+
|
| Reed Solomon
|
+----V--------------------------+ +-------------->|
|
| | | |
|
| Header Values | |
+-------------------+
| | | | Page Count
|
+-------------------------------+ | Decompress
+-------------------+
| Header CRC | | | Page Max ID
|
+-------------------------------+ |
+-------------------+
| | | |
|
| Second Header | |
+-------------------+
| (Compressed) +------+ | Page Map
Offset |
| |
+-------------------+
+-------------------------------+ | Page Map Len
|
| Second Header CRC |
+-------------------+
+-------------------------------+ |
|
The DWG R2007 also known as AC1021 is well documented by the reversing
effort
of opendesign. For more detail on this please check http://opendesign.com
AutoCAD starts by parsing the 1st header. Among other things it reads the
size and location of the 2nd header. From the second header it reads the
position in
the file where the page map is stored, the number of pages present in the
file
(Page Count) and the maximum page id (Page Max ID) a page shall have. The
page
map is stored in a single system section page and it is composed by tuples
(ID, Size) where ID is the page number.
+-PageMap-------------+
| ID | Size |
+---------------------+
| ID | Size |
+---------------------+
| ID | Size |
+---------------------+
When each PageMap node is read two data structures are updated, a double
linked list of page map nodes called PMapList and an id indexed array of node
pointers called PMapArray.
PMapArray is an array of node pointers maintained for quick access of the
page map nodes. It maps the id to the actual page map node. A memory chunk of
pages-maxid*sizeof(void*) bytes is allocated for it as declared in the 2nd
header.
The bug: When each new page map node is created its address is stored in
the corresponding id position of the PMapArray array without checking its
boundaries. Thus, enabling an arbitrary heap offset overwrite with a
pointer to the recently created node.
REFERENCES:
http://blog.binamuse.com/2013/07/autocad-dwg-ac1021-heap-corruption.html
http://binamuse.com/advisories/BINA-20130724.txt
http://images.autodesk.com/adsk/files/Autodesk_AutoCAD_Code_Execution_Vulnerability_Hotfix_Readme.pdf
http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe
DISCLAIMER:
The content of this advisory are copyright (c) 2013 Binamuse Inc.
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.