AutoCAD 2013 G.55.0.0 Untrusted Search Path

2014.03.18
Credit: kaito834
Risk: Low
Local: Yes
Remote: No
CWE: N/A

========================================================================== Two Vulnerabilities of AutoCAD: CVE-2014-0818 and CVE-2014-0819 Mar 16, 2014 @kaito834 ========================================================================== ------------------------ Overview ------------------------ AutoCAD 2013 and earlier version contained untrusted search path vulnerabilities. When the AutoCAD load FAS or DLL file, the AutoCAD search these files on current working directory. Therefore, attacker or malware could load own FAS or DLL?file when AutoCAD user opened DWG file on a directory stored these DLL or FAS file. The vendor, Autodesk, Inc, fixed these vulnerabilities in AutoCAD 2014. These vulnerabilities were assigned CVE-2014-0818 and CVE-2014-0819. CVE-2014-0818/JVN#33382534 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0818 https://jvn.jp/en/jp/JVN33382534/ CVE-2014-0819/JVN#43254599 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0819 https://jvn.jp/en/jp/JVN43254599/ ------------------------ Background ------------------------ On June 2012, ESET posted blog entry (*1) about ACAD/Medre.A, a worm written in AutoLISP. The blog entry explained the malware abused automatic loading of AutoLISP routines. I interested in search path of AutoCAD and consulted AutoCAD official document. And, I confirmed that AutoCAD search AutoLisp code firstly on current working directory (*2) if AutoLisp code was loaded by only filename. As a result, I wrote a Proof of Concept based the ESET blog entry and reported malware issue as untrusted search path vulnerability to IPA (*3). (*1): http://www.welivesecurity.com/2012/06/21/acadmedre-a-technical-analysis-2/ (*2): http://exchange.autodesk.com/autocad/online-help/browse#WS73099cc142f4875516d84be10ebc87a53f-7872.htm (Japanese) (*3): INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN http://www.ipa.go.jp/security/english/third.html ------------------------ Procedure for reproducing issue ------------------------ I confirmed this procedure on AutoCAD 2013, version G.55.0.0. (1) Launch AutoCAD 2013 and saved empty dimensional design data as Drawing1.dwg. Then, store the Drawing1.dwg with PoC code, Acad.fas (*4), on C:\exploit. http://f.hatena.ne.jp/kaito834/20140222203210 (2) After Process Monitor (*5) is launched, open Drawing1.dwg by double-click. (3) Launched AutoCAD 2013, and launched calc.exe at same time. http://f.hatena.ne.jp/kaito834/20140222203211 Then, look up Process Monitor and you can confirm that Acad.fas is loaded on current working directory stored Drawing1.dwg. http://f.hatena.ne.jp/kaito834/20140222203212 And, look up [Event Properties] - [Stack] of Process Monitor and you can see that accore.dll load Acad.fas. http://f.hatena.ne.jp/kaito834/20140222203213 (*4): PoC code is not explained this advisory. Please contact to me if you were interested in PoC. (*5): http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx ------------------------ Timeline ------------------------ Jul 3, 2012 I reported the vulnerability to IPA by email, and IPA responded that we received the vulnerability report. Aug 6, 2012 IPA informed me that we confirmed the report and submitted to vendor, Autodesk, Inc, by email. mid-Aug 2012 The vendor released AudoCAD 2013 Service Pack 1(SP1) that provided new security feature; see Reference. Apr 4, 2013 I inquired at IPA whether the vunlerability was fixed or not by email. Apr 18, 2013 IPA answered to me that the vendor released SP1 and would fix the vulnerability in the future by email. May 11, 2013 I inquired at IPA whether CVE-2014-0818 was fixed, and CVE-2014-0819 was not fixed by email. May 22, 2013 IPA answered to me that CVE-2014-0818 and CVE-2014-0819 were not fixed, and would be fixed in the future by email. Aug 22, 2013 I inquired at IPA whether the vulnerability and CVE-2013-3665 were different or not by email. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3665 Sep 4, 2013 IPA responded to me that we were waiting for reply from vendor by email. mid-Sep 2013 IPA answered to me that the vulnerability and CVE-2013-3665 were different by email. Feb 21, 2014 The vendor fixed CVE-2014-0818 and CVE-2014-0819, and IPA puslished the advisories: JVN#33382534 and JVN#43254599. ------------------------ Reference ------------------------ * Hatena Diary(my blog post in Japanse) http://d.hatena.ne.jp/kaito834/20140223/1393145077 * Autodesk, Inc http://knowledge.autodesk.com/support/autocad/troubleshooting/caas/sfdcarticles/sfdcarticles/AutoLISP-and-VBA-Security-Controls-in-AutoCAD-2013-SP1.html * Vulnerability related to CVE-2014-0818 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3360 http://www.exploit-db.com/exploits/18125/ ==========================================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top