exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sketchup MAC Pict Material Palette Stack Corruption

Sketchup MAC Pict Material Palette Stack Corruption
Posted May 31, 2013
Authored by Felipe Andres Manzano

SketchUp is a 3D modeling program marketed by Google (2011) and designed for architectural, civil, and mechanical engineers as well as filmmakers, game developers, and related professions. SketchUp fails to validate the input when parsing an embedded MACPict texture. Arbitrary code execution is proved possible after a malicious texture or thumbnail or background image triggers a stack overflow. The issue can also be triggered when Windows Explorer reads the embedded thumbnail in a .skp file.

tags | advisory, overflow, arbitrary, code execution
systems | windows
advisories | CVE-2013-3662
SHA-256 | 5d7db50f9ade70ce95f84ac3b672882ffe82ae29e7be793a09e28762eee3b890

Sketchup MAC Pict Material Palette Stack Corruption

Change Mirror Download
If you are still using an old version of SketchUp(8M2) you should upgrade it.

Title: Sketchup MAC Pict Material Palette Stack Corruption
Product: Google SketchUp
Advisory ID: BINA-20111201
CVE ID: CVE-2013-3662
Class: Boundary Error Condition (Buffer Overflow)
Vulnerability class: Client side/ file format
Permalink: https://binamuse.com/advisories/BINA-20111201.txt
Vendor notified on: 2011-07-18
Patch/Fix Released: 2011-12-01
Advisory Published: 2013-05-23

Vulnerability Description:

SketchUp is a 3D modeling program marketed by Google (2011) and designed
for architectural, civil, and mechanical engineers as well as filmmakers,
game developers, and related professions.

SketchUp fails to validate the input when parsing an embedded MACPict
texture. Arbitrary code execution is proved possible after a malicious
texture or thumbnail or background image triggers a stack overflow.
The issue can also be triggered when Windows Explorer reads the embedded
thumbnail in a .skp file.

Vulnerable Packages:

SketchUp 8 - Maintenance 1
SketchUp 8
SketchUp 7.1 - Maintenance 2
SketchUp 7.1 - Maintenance 1
SketchUp 7.1
SketchUp 7 - Maintenance 1
SketchUp Pro 6 - Maintenance 6

Not Vulnerable Packages:

SketchUp 8 - Maintenance 2 and abobe

Solution/Vendor Information/Workaround:
Upgrade to Sketchup 2013
URL: https://www.sketchup.com/products/sketchup-pro/new-in-2013

Or to get the latest version of SketchUp 8:
Windows: Choose Help > Check for Update
Mac: Choose SketchUp > Check Web for Update

Credits:

This vulnerability was found by Felipe Andres Manzano of the
Binamuse Vulnerability Research Team, https://binamuse.com

Technical Description:

Sketchup fails to validate the input when parsing an embedded MAC Pict
texture, leading to an arbitrary stack offset overwrite and finally to an
arbitrary code execution.

The native SketchUp fileformat can handle textured 3D content. Sketchup
can create realistic materials taken from image files such as jpg pictures
taken with a digital camera. A number of this images can be embedded into
the main .skp file and loaded every time the 3D scene is open.

The bug is triggered when SketchUp loads the color palette table of a
MAC Pict material (or embedded image).

'' In the Windows version 8.0.4811 the function responsible
for the pallete loading can be found at address 0x8849B0 ''

A MAC Pict file can hold palettes of up to 64k colors. It is encoded so the
number of colors to read from the file is the first 16bit unsigned value of the
encoded palette.

'>H' numColors

Then it follows a list of up to numColors palette entries.

[
'>H' color index
'BBB' RGB
] * numColors

Each entry is a pair of index and RGB color and the entries can be put in any
order. The only constraint is that each index must be less or equal
than numColor.
SketchUp reads this potentially 64k entries length table in a 256
entries length
stack buffer.

Thus, is fair to say that an almost arbitrary offset of the stack can
be written
with an almost arbitrary value. Playing with the stacked local values of the
calling functions it is possible to capture the execution flow and execute
arbitrary code.

REFERENCES:

https://blog.binamuse.com/2013/05/multiple-vulnerabilities-on-sketchup.html

DISCLAIMER:

The content of this advisory are copyright (c) 2013 Binamuse Inc.
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.

f/


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close