AutoCAD DWG-AC1021 Memory Corruption

2013.07.25
Credit: Felipe Manzano
Risk: High
Local: Yes
Remote: No
CVE: CVE-2013-3665
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

pgrade your autocad or DWG relatred software: Original advisory: http://usa.autodesk.com/adsk/servlet/ps/dl/item?id=21972896&linkID=9240618&siteID=123112 ============================================ Title: AutoCAD DWG-AC1021 Heap Corruption Product: Autodesk AutoCAD Advisory ID: BINA-20130724 CVE ID: CVE-2013-3665 Class: Boundary Error Condition (Buffer Overflow) Vulnerability class: Client side/ file format Permalink: http://binamuse.com/advisories/BINA-20130724.txt Vendor notified on: 2013-03-27 Patch/Fix Released: 2013-07-10 Advisory Published: 2013-07-24 Vulnerability Description: AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the world leading CAD design tools. It is developed and sold by Autodesk, Inc. AutoCad is vulnerable to an arbitrary pointer dereference vulnerability, which can be exploited by malicious remote attackers to compromise a user's system. This issue is due to AutoCad's failure to properly bounds-check data in a DWG file before using it to index and copy heap memory values. This can be exploi- ted to execute arbitrary code by opening a specially crafted DWG file, version AC1021. This version was the native fileformat of AutoCAD Release 2007. New versions of the format emerged but AC1021 is still supported in modern AutoCADs for back- ward compatibility. Vulnerable Packages: AutoCAD(R) 2014 AutoCAD(R) 2013 AutoCAD(R) 2012 AutoCAD(R) 2011 AutoCAD(R) Architecture 2014 AutoCAD(R) Architecture 2013 AutoCAD(R) Architecture 2012 AutoCAD(R) Architecture 2011 AutoCAD(R) Civil 3D(R) 2014 AutoCAD(R) Civil 3D(R) 2013 AutoCAD(R) Civil 3D(R) 2012 AutoCAD(R) Civil 3D(R) 2011 AutoCAD(R) ecscad 2014 AutoCAD(R) ecscad 2013 AutoCAD(R) ecscad 2012 AutoCAD(R) ecscad 2011 AutoCAD(R) Electrical 2014 AutoCAD(R) Electrical 2013 AutoCAD(R) Electrical 2012 AutoCAD(R) Electrical 2011 AutoCAD LT(R) 2014 AutoCAD LT(R) 2013 AutoCAD LT(R) 2012 AutoCAD LT(R) 2011 AutoCAD(R) Map 3D 2014 AutoCAD(R) Map 3D 2013 AutoCAD(R) Map 3D 2012 AutoCAD(R) Map 3D 2011 AutoCAD(R) Mechanical 2014 AutoCAD(R) Mechanical 2013 AutoCAD(R) Mechanical 2012 AutoCAD(R) Mechanical 2011 AutoCAD(R) MEP 2014 AutoCAD(R) MEP 2013 AutoCAD(R) MEP 2012 AutoCAD(R) MEP 2011 AutoCAD(R) P&ID 2014 AutoCAD(R) P&ID 2013 AutoCAD(R) P&ID 2012 AutoCAD(R) P&ID 2011 AutoCAD(R) Plant 3D 2014 AutoCAD(R) Plant 3D 2013 AutoCAD(R) Plant 3D 2012 AutoCAD(R) Plant 3D 2011 AutoCAD(R) Structural Detailing 2014 AutoCAD(R) Structural Detailing 2013 AutoCAD(R) Structural Detailing 2012 AutoCAD(R) Structural Detailing 2011 AutoCAD(R) Utility Design 2014 AutoCAD(R) Utility Design 2012 DWG TrueView(TM) 2014 DWG TrueView(TM) 2013 DWG TrueView(TM) 2012 DWG TrueView(TM) 2011 Not Vulnerable Packages: None Solution/Vendor Information/Workaround: http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe Credits: This vulnerability was found by Joshep J. Cortez Sanchez of the Binamuse Vulnerability Research Team, http://binamuse.com Technical Description: The R2007 dwg format is composed by sections and pages. Sections come in two flavors system sections and data sections. The system sections contain informa- tion about where the data sections and their pages are in the file. The system sections are built based in two main data structures: a first header and a second header. In addition, there are two important sections in the file structure, the page map and the section map. Each one of this sections should be decoded using Reed Solomon algorithm and optionally be compressed with a proprietary algorithm (which we will ignore). The file structure looks like this: +------DWG-----------------------------------------------------------------+ | +-----------------+ +-------------+ +------------------+ | | | 1st Header | | Page Map | | Sections Map | | | +--+--------------+ +-------------+ +------------------+ | +--- | --------------------------------------------------------------------+ | | Reed Solomon | +----V--------------------------+ +-------------->| | | | | | | | Header Values | | +-------------------+ | | | | Page Count | +-------------------------------+ | Decompress +-------------------+ | Header CRC | | | Page Max ID | +-------------------------------+ | +-------------------+ | | | | | | Second Header | | +-------------------+ | (Compressed) +------+ | Page Map Offset | | | +-------------------+ +-------------------------------+ | Page Map Len | | Second Header CRC | +-------------------+ +-------------------------------+ | | The DWG R2007 also known as AC1021 is well documented by the reversing effort of opendesign. For more detail on this please check http://opendesign.com AutoCAD starts by parsing the 1st header. Among other things it reads the size and location of the 2nd header. From the second header it reads the position in the file where the page map is stored, the number of pages present in the file (Page Count) and the maximum page id (Page Max ID) a page shall have. The page map is stored in a single system section page and it is composed by tuples (ID, Size) where ID is the page number. +-PageMap-------------+ | ID | Size | +---------------------+ | ID | Size | +---------------------+ | ID | Size | +---------------------+ When each PageMap node is read two data structures are updated, a double linked list of page map nodes called PMapList and an id indexed array of node pointers called PMapArray. PMapArray is an array of node pointers maintained for quick access of the page map nodes. It maps the id to the actual page map node. A memory chunk of pages-maxid*sizeof(void*) bytes is allocated for it as declared in the 2nd header. The bug: When each new page map node is created its address is stored in the corresponding id position of the PMapArray array without checking its boundaries. Thus, enabling an arbitrary heap offset overwrite with a pointer to the recently created node. REFERENCES: http://blog.binamuse.com/2013/07/autocad-dwg-ac1021-heap-corruption.html http://binamuse.com/advisories/BINA-20130724.txt http://images.autodesk.com/adsk/files/Autodesk_AutoCAD_Code_Execution_Vulnerability_Hotfix_Readme.pdf http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe DISCLAIMER: The content of this advisory are copyright (c) 2013 Binamuse Inc. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

References:

http://blog.binamuse.com/2013/07/autocad-dwg-ac1021-heap-corruption.html
http://binamuse.com/advisories/BINA-20130724.txt
http://images.autodesk.com/adsk/files/Autodesk_AutoCAD_Code_Execution_Vulnerability_Hotfix_Readme.pdf
http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top