[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2013-3663 - SketchUp BMP RLE8 Heap Overflow



If you are still using a not so old version of SketchUp(8M3) you
should upgrade it...

Title: SketchUp BMP RLE8 Heap Overflow
Product: Google SketchUp
Advisory ID: BINA-20120523
CVE ID: CVE-2013-3663
Class: Boundary Error Condition (Buffer Overflow)
Vulnerability class: Client side/ file format
Permalink: http://binamuse.com/advisories/BINA-20120523.txt
Vendor notified on: 2011-08-12
Patch/Fix Released: 2012-05-23
Advisory Published: 2013-05-23

Vulnerability Description:

 SketchUp is a 3D modeling program marketed by Google (2011) and designed
 for architectural, civil, and mechanical engineers as well as filmmakers,
 game developers, and related professionals.

 SketchUp fails to validate the input when parsing an embedded BMP RLE8
 compressed texture. Arbitrary code execution is proved possible after a
 malicious texture or thumbnail or background image triggers a heap overflow.
 The issue can also be triggered when Windows Explorer reads the embedded
 thumbnail in a .skp file.

Vulnerable Packages:

 SketchUp 8 - Maintenance 1
 SketchUp 8
 SketchUp 7.1 - Maintenance 2
 SketchUp 7.1 - Maintenance 1
 SketchUp 7.1
 SketchUp 7     - Maintenance 1
 SketchUp Pro 6 - Maintenance 6

Not Vulnerable Packages:

 SketchUp 8 - Maintenance 3 and abobe

Solution/Vendor Information/Workaround:

 Upgrade to Sketchup 2013
 URL: http://www.sketchup.com/products/sketchup-pro/new-in-2013

 Or to get the latest version of SketchUp 8:
  Windows: Choose Help > Check for Update
  Mac: Choose SketchUp > Check Web for Update

Credits:

 This vulnerability was found by Felipe Andres Manzano of the Binamuse
 Vulnerability Research Team, http://binamuse.com

Technical Description:

 Sketchup fails to validate the input when parsing an embedded BMP RLE8
 compressed texture, leading to an arbitrary stack offset overwrite and
 finally to arbitrary code execution.

 The native SketchUp fileformat can handle textured 3D content. Sketchup
 can create realistic materials taken from image files such as jpg pictures
 taken with a digital camera. A number of this images can be embedded into
 the main .skp file and loaded every time the 3D scene is open.


 The code parsing BMP/RLE images seem to be taken from
http://www.paintlib.de/paintlib/.
 The problematic function is at plbmpdec.bpp and it looks like this:

    482 void PLBmpDecoder::decodeRLE8
    483    ( PLDataSource * pDataSrc,
    484      PLBmpBase * pBmp
    485    )
    486            // Decodes a compressed 256-color-bitmap
    487 {
    488  int y;                    // Current row
    489
    490  PLBYTE * pDest;           // Current destination
    491  PLBYTE * pSrc;            // Current position in file
    492  PLBYTE   RunLength;       // Length of current run
    493  bool   bEOL;              // true if end of line reached
    494  bool   bEOF=false;        // true if end of file reached
    495  PLBYTE ** pLineArray = pBmp->GetLineArray();
    496                            // Pointers to dest lines
    497
    498  Trace (2, "Decoding RLE8-compressed bitmap.\n");
    499
    500  for (y=0; y<pBmp->GetHeight() && !bEOF; y++)
    501  {                         // For each line...
    502    pDest = pLineArray[pBmp->GetHeight()-y-1];
    503    bEOL=false;
    504    while (!bEOL)
    505    {                       // For each packet do
    506      pSrc = pDataSrc->Read1Byte();
    507      RunLength = *pSrc;
    508      if (RunLength==0)
    509      { // Literal or escape.
    510        pSrc = pDataSrc->Read1Byte();
    511        RunLength = *pSrc;
    512        switch (RunLength)
    513        {
    514          case 0:           // End of line escape
    515            bEOL = true;
    516            break;
    517          case 1:           // End of file escape
    518            bEOF = true;
    519            bEOL = true;
    520            break;
    521          case 2:           // Delta escape.
    522            // I have never seen a file using this
    523            raiseError (PL_ERRFORMAT_NOT_SUPPORTED,
    524                        "Encountered delta escape.");
    525            bEOL = true;
    526            bEOF = true;
    527            break;
    528          default:
    529                            // Literal packet
    530            pSrc = pDataSrc->ReadNBytes(RunLength);
    531            memcpy (pDest, pSrc, RunLength);
    532            pDest += RunLength;
    533            // Word alignment at end of literal packet.
    534            if (RunLength & 1) pDataSrc->Skip(1);
    535        }
    536      }
    537      else
    538      {                     // Encoded packet:
    539                            // RunLength pixels,
    539                                 // all with the same value
    540        pSrc = pDataSrc->Read1Byte();
    541        memset (pDest, *pSrc, RunLength);
    542        pDest += RunLength;
    543      }
    544    }
    545  }
    546 }

 Note that the 'while' statement at line 504 ends only when it reaches
an EOF token (or
 similar condition) on the input. It decodes RLE packets into the
previously allocated
 buffer "pLineArray". The pLineArray is supposed to by a bitmap. Its
size (height*width)
 is controlled by the input. So we can allocate any buffer size and
then write and overflow
 it with whatever content we want.

 Exploitation of the above problem will lead to the execution of arbitrary
 code on the client machine with the privileges of the user running the
 Sketchup.

REFERENCES:

 http://blog.binamuse.com/2013/05/multiple-vulnerabilities-on-sketchup.html

DISCLAIMER:

 The content of this advisory are copyright (c) 2013 Binamuse Inc.
 and may be distributed freely provided that no fee is charged for this
 distribution and proper credit is given.

f/