Sketchup MAC Pict Material Palette Stack Corruption

2013.06.01
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

If you are still using an old version of SketchUp(8M2) you should upgrade it. Title: Sketchup MAC Pict Material Palette Stack Corruption Product: Google SketchUp Advisory ID: BINA-20111201 CVE ID: CVE-2013-3662 Class: Boundary Error Condition (Buffer Overflow) Vulnerability class: Client side/ file format Permalink: http://binamuse.com/advisories/BINA-20111201.txt Vendor notified on: 2011-07-18 Patch/Fix Released: 2011-12-01 Advisory Published: 2013-05-23 Vulnerability Description: SketchUp is a 3D modeling program marketed by Google (2011) and designed for architectural, civil, and mechanical engineers as well as filmmakers, game developers, and related professions. SketchUp fails to validate the input when parsing an embedded MACPict texture. Arbitrary code execution is proved possible after a malicious texture or thumbnail or background image triggers a stack overflow. The issue can also be triggered when Windows Explorer reads the embedded thumbnail in a .skp file. Vulnerable Packages: SketchUp 8 - Maintenance 1 SketchUp 8 SketchUp 7.1 - Maintenance 2 SketchUp 7.1 - Maintenance 1 SketchUp 7.1 SketchUp 7 - Maintenance 1 SketchUp Pro 6 - Maintenance 6 Not Vulnerable Packages: SketchUp 8 - Maintenance 2 and abobe Solution/Vendor Information/Workaround: Upgrade to Sketchup 2013 URL: http://www.sketchup.com/products/sketchup-pro/new-in-2013 Or to get the latest version of SketchUp 8: Windows: Choose Help > Check for Update Mac: Choose SketchUp > Check Web for Update Credits: This vulnerability was found by Felipe Andres Manzano of the Binamuse Vulnerability Research Team, http://binamuse.com Technical Description: Sketchup fails to validate the input when parsing an embedded MAC Pict texture, leading to an arbitrary stack offset overwrite and finally to an arbitrary code execution. The native SketchUp fileformat can handle textured 3D content. Sketchup can create realistic materials taken from image files such as jpg pictures taken with a digital camera. A number of this images can be embedded into the main .skp file and loaded every time the 3D scene is open. The bug is triggered when SketchUp loads the color palette table of a MAC Pict material (or embedded image). '' In the Windows version 8.0.4811 the function responsible for the pallete loading can be found at address 0x8849B0 '' A MAC Pict file can hold palettes of up to 64k colors. It is encoded so the number of colors to read from the file is the first 16bit unsigned value of the encoded palette. '>H' numColors Then it follows a list of up to numColors palette entries. [ '>H' color index 'BBB' RGB ] * numColors Each entry is a pair of index and RGB color and the entries can be put in any order. The only constraint is that each index must be less or equal than numColor. SketchUp reads this potentially 64k entries length table in a 256 entries length stack buffer. Thus, is fair to say that an almost arbitrary offset of the stack can be written with an almost arbitrary value. Playing with the stacked local values of the calling functions it is possible to capture the execution flow and execute arbitrary code. REFERENCES: http://blog.binamuse.com/2013/05/multiple-vulnerabilities-on-sketchup.html DISCLAIMER: The content of this advisory are copyright (c) 2013 Binamuse Inc. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. f/

References:

http://blog.binamuse.com/2013/05/multiple-vulnerabilities-on-sketchup.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top