SketchUp BMP RLE8 Heap Overflow

2013.06.01
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

If you are still using a not so old version of SketchUp(8M3) you should upgrade it... Title: SketchUp BMP RLE8 Heap Overflow Product: Google SketchUp Advisory ID: BINA-20120523 CVE ID: CVE-2013-3663 Class: Boundary Error Condition (Buffer Overflow) Vulnerability class: Client side/ file format Permalink: http://binamuse.com/advisories/BINA-20120523.txt Vendor notified on: 2011-08-12 Patch/Fix Released: 2012-05-23 Advisory Published: 2013-05-23 Vulnerability Description: SketchUp is a 3D modeling program marketed by Google (2011) and designed for architectural, civil, and mechanical engineers as well as filmmakers, game developers, and related professionals. SketchUp fails to validate the input when parsing an embedded BMP RLE8 compressed texture. Arbitrary code execution is proved possible after a malicious texture or thumbnail or background image triggers a heap overflow. The issue can also be triggered when Windows Explorer reads the embedded thumbnail in a .skp file. Vulnerable Packages: SketchUp 8 - Maintenance 1 SketchUp 8 SketchUp 7.1 - Maintenance 2 SketchUp 7.1 - Maintenance 1 SketchUp 7.1 SketchUp 7 - Maintenance 1 SketchUp Pro 6 - Maintenance 6 Not Vulnerable Packages: SketchUp 8 - Maintenance 3 and abobe Solution/Vendor Information/Workaround: Upgrade to Sketchup 2013 URL: http://www.sketchup.com/products/sketchup-pro/new-in-2013 Or to get the latest version of SketchUp 8: Windows: Choose Help > Check for Update Mac: Choose SketchUp > Check Web for Update Credits: This vulnerability was found by Felipe Andres Manzano of the Binamuse Vulnerability Research Team, http://binamuse.com Technical Description: Sketchup fails to validate the input when parsing an embedded BMP RLE8 compressed texture, leading to an arbitrary stack offset overwrite and finally to arbitrary code execution. The native SketchUp fileformat can handle textured 3D content. Sketchup can create realistic materials taken from image files such as jpg pictures taken with a digital camera. A number of this images can be embedded into the main .skp file and loaded every time the 3D scene is open. The code parsing BMP/RLE images seem to be taken from http://www.paintlib.de/paintlib/. The problematic function is at plbmpdec.bpp and it looks like this: 482 void PLBmpDecoder::decodeRLE8 483 ( PLDataSource * pDataSrc, 484 PLBmpBase * pBmp 485 ) 486 // Decodes a compressed 256-color-bitmap 487 { 488 int y; // Current row 489 490 PLBYTE * pDest; // Current destination 491 PLBYTE * pSrc; // Current position in file 492 PLBYTE RunLength; // Length of current run 493 bool bEOL; // true if end of line reached 494 bool bEOF=false; // true if end of file reached 495 PLBYTE ** pLineArray = pBmp->GetLineArray(); 496 // Pointers to dest lines 497 498 Trace (2, "Decoding RLE8-compressed bitmap.\n"); 499 500 for (y=0; y<pBmp->GetHeight() && !bEOF; y++) 501 { // For each line... 502 pDest = pLineArray[pBmp->GetHeight()-y-1]; 503 bEOL=false; 504 while (!bEOL) 505 { // For each packet do 506 pSrc = pDataSrc->Read1Byte(); 507 RunLength = *pSrc; 508 if (RunLength==0) 509 { // Literal or escape. 510 pSrc = pDataSrc->Read1Byte(); 511 RunLength = *pSrc; 512 switch (RunLength) 513 { 514 case 0: // End of line escape 515 bEOL = true; 516 break; 517 case 1: // End of file escape 518 bEOF = true; 519 bEOL = true; 520 break; 521 case 2: // Delta escape. 522 // I have never seen a file using this 523 raiseError (PL_ERRFORMAT_NOT_SUPPORTED, 524 "Encountered delta escape."); 525 bEOL = true; 526 bEOF = true; 527 break; 528 default: 529 // Literal packet 530 pSrc = pDataSrc->ReadNBytes(RunLength); 531 memcpy (pDest, pSrc, RunLength); 532 pDest += RunLength; 533 // Word alignment at end of literal packet. 534 if (RunLength & 1) pDataSrc->Skip(1); 535 } 536 } 537 else 538 { // Encoded packet: 539 // RunLength pixels, 539 // all with the same value 540 pSrc = pDataSrc->Read1Byte(); 541 memset (pDest, *pSrc, RunLength); 542 pDest += RunLength; 543 } 544 } 545 } 546 } Note that the 'while' statement at line 504 ends only when it reaches an EOF token (or similar condition) on the input. It decodes RLE packets into the previously allocated buffer "pLineArray". The pLineArray is supposed to by a bitmap. Its size (height*width) is controlled by the input. So we can allocate any buffer size and then write and overflow it with whatever content we want. Exploitation of the above problem will lead to the execution of arbitrary code on the client machine with the privileges of the user running the Sketchup. REFERENCES: http://blog.binamuse.com/2013/05/multiple-vulnerabilities-on-sketchup.html DISCLAIMER: The content of this advisory are copyright (c) 2013 Binamuse Inc. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. f/

References:

http://blog.binamuse.com/2013/05/multiple-vulnerabilities-on-sketchup.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top