==========================================================================
Two Vulnerabilities of AutoCAD: CVE-2014-0818 and CVE-2014-0819
Mar 16, 2014
@kaito834
==========================================================================
------------------------
Overview
------------------------
AutoCAD 2013 and earlier version contained untrusted search path vulnerabilities.
When the AutoCAD load FAS or DLL file, the AutoCAD search these files on current
working directory. Therefore, attacker or malware could load own FAS or DLL?file
when AutoCAD user opened DWG file on a directory stored these DLL or FAS file.
The vendor, Autodesk, Inc, fixed these vulnerabilities in AutoCAD 2014.
These vulnerabilities were assigned CVE-2014-0818 and CVE-2014-0819.
CVE-2014-0818/JVN#33382534
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0818
https://jvn.jp/en/jp/JVN33382534/
CVE-2014-0819/JVN#43254599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0819
https://jvn.jp/en/jp/JVN43254599/
------------------------
Background
------------------------
On June 2012, ESET posted blog entry (*1) about ACAD/Medre.A, a worm written in
AutoLISP. The blog entry explained the malware abused automatic loading of
AutoLISP routines. I interested in search path of AutoCAD and consulted AutoCAD
official document. And, I confirmed that AutoCAD search AutoLisp code firstly
on current working directory (*2) if AutoLisp code was loaded by only filename.
As a result, I wrote a Proof of Concept based the ESET blog entry and reported
malware issue as untrusted search path vulnerability to IPA (*3).
(*1): http://www.welivesecurity.com/2012/06/21/acadmedre-a-technical-analysis-2/
(*2): http://exchange.autodesk.com/autocad/online-help/browse#WS73099cc142f4875516d84be10ebc87a53f-7872.htm (Japanese)
(*3): INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN
http://www.ipa.go.jp/security/english/third.html
------------------------
Procedure for reproducing issue
------------------------
I confirmed this procedure on AutoCAD 2013, version G.55.0.0.
(1) Launch AutoCAD 2013 and saved empty dimensional design data as
Drawing1.dwg. Then, store the Drawing1.dwg with PoC code,
Acad.fas (*4), on C:\exploit.
http://f.hatena.ne.jp/kaito834/20140222203210
(2) After Process Monitor (*5) is launched, open Drawing1.dwg by double-click.
(3) Launched AutoCAD 2013, and launched calc.exe at same time.
http://f.hatena.ne.jp/kaito834/20140222203211
Then, look up Process Monitor and you can confirm that Acad.fas is loaded
on current working directory stored Drawing1.dwg.
http://f.hatena.ne.jp/kaito834/20140222203212
And, look up [Event Properties] - [Stack] of Process Monitor and
you can see that accore.dll load Acad.fas.
http://f.hatena.ne.jp/kaito834/20140222203213
(*4): PoC code is not explained this advisory. Please contact to me
if you were interested in PoC.
(*5): http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
------------------------
Timeline
------------------------
Jul 3, 2012 I reported the vulnerability to IPA by email, and
IPA responded that we received the vulnerability report.
Aug 6, 2012 IPA informed me that we confirmed the report and submitted
to vendor, Autodesk, Inc, by email.
mid-Aug 2012 The vendor released AudoCAD 2013 Service Pack 1(SP1)
that provided new security feature; see Reference.
Apr 4, 2013 I inquired at IPA whether the vunlerability was fixed
or not by email.
Apr 18, 2013 IPA answered to me that the vendor released SP1 and
would fix the vulnerability in the future by email.
May 11, 2013 I inquired at IPA whether CVE-2014-0818 was fixed, and
CVE-2014-0819 was not fixed by email.
May 22, 2013 IPA answered to me that CVE-2014-0818 and CVE-2014-0819
were not fixed, and would be fixed in the future by email.
Aug 22, 2013 I inquired at IPA whether the vulnerability and CVE-2013-3665
were different or not by email.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3665
Sep 4, 2013 IPA responded to me that we were waiting for reply from
vendor by email.
mid-Sep 2013 IPA answered to me that the vulnerability and CVE-2013-3665
were different by email.
Feb 21, 2014 The vendor fixed CVE-2014-0818 and CVE-2014-0819, and
IPA puslished the advisories: JVN#33382534 and JVN#43254599.
------------------------
Reference
------------------------
* Hatena Diary(my blog post in Japanse)
http://d.hatena.ne.jp/kaito834/20140223/1393145077
* Autodesk, Inc
http://knowledge.autodesk.com/support/autocad/troubleshooting/caas/sfdcarticles/sfdcarticles/AutoLISP-and-VBA-Security-Controls-in-AutoCAD-2013-SP1.html
* Vulnerability related to CVE-2014-0818
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3360
http://www.exploit-db.com/exploits/18125/
==========================================================================