Document Title: =============== Google SketchUp v8.x - Memory Corruption Vulnerability Release Date: ============= 2011-09-12 Vulnerability Laboratory ID (VL-ID): ==================================== 99 Product & Service Introduction: =============================== Google SketchUp Pro is 3D modeling software for professionals. SketchUp is easy and intuitive, allowing anyone to model in 3D quickly and accurately. Using 3D models, designers can make more informed decisions, communicate project details, and share ideas with colleagues and customers to reach a common goal. SketchUp Pro includes LayOut, a 2D documentation and presentation tool for professionals. LayOut combines 3D models with text and 2D drawing elements to create design documents, construction drawings and compelling digital presentations. (Copy of the Vendor Homepage: http://sketchup.google.com/intl/de/download/) Abstract Advisory Information: ============================== Vulnerability-Lab Team discovered a Memory Corruption Vulnerability on Googles SketchUp Software v8.x. Vulnerability Disclosure Timeline: ================================== 2011-09-13: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A Memory Corruption vulnerability is detected on the Google s SketchUp v8.x. The vulnerability is caused by an memory corruption when processing corrupt DAE files through the filter, which could be exploited by attackers to crash an affected/vulnerable application. Its also possible to execute maschine specific code by tricking a user into opening a special crafted (manipulated) DAE file. The bug is located in the configuration & transformation handling of .dae import function (module). Vulnerable Module(s): [+] DAE - Import --- Bugsplat Logs --- 2011-07-24 20:20:55 Entered Unhandled Exception Filter 2011-07-24 20:20:55 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUp4EKL42V3.dmp 2011-07-24 20:20:55 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ 2011-07-24 20:26:00 Entered Unhandled Exception Filter 2011-07-24 20:26:01 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUpUHV15AH1.dmp 2011-07-24 20:26:01 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ 2011-07-24 20:26:53 Entered Unhandled Exception Filter 2011-07-24 20:26:54 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUpGRD510S5.dmp 2011-07-24 20:26:54 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ 2011-07-24 20:35:51 Entered Unhandled Exception Filter 2011-07-24 20:35:51 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUp4H214T15.dmp 2011-07-24 20:35:51 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ --- Sketchup Logs --- Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) Commit(0) --- Exception Logs --- (10f4.dcc): C++ EH exception - code e06d7363 (first chance) eax=0986ef50 ebx=08b05001 ecx=00000003 edx=00000000 esi=08cbf53c edi=090433d8 eip=75feb727 esp=0986ef50 ebp=0986efa0 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 KERNELBASE!RaiseException+0x58: 75feb727 c9 0:001> gn (10f4.dcc): C++ EH exception - code e06d7363 (first chance) eax=0986edfc ebx=08afce20 ecx=00000003 edx=00000000 esi=0986f4c0 edi=08f4b4b0 eip=75feb727 esp=0986edfc ebp=0986ee4c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 KERNELBASE!RaiseException+0x58: 75feb727 c9 0:001> gn (10f4.dcc): C++ EH exception - code e06d7363 (first chance) eax=0986edfc ebx=08afce20 ecx=00000003 edx=00000000 esi=0986f4c0 edi=08f90bd0 eip=75feb727 esp=0986edfc ebp=0986ee4c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 KERNELBASE!RaiseException+0x58: 75feb727 c9 0:001> g eax=00000000 ebx=77a21c04 ecx=00000000 edx=00000000 esi=004da500 edi=00000000 eip=779e00ed esp=0672fc8c ebp=0672fe20 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!NtWaitForMultipleObjects+0x15: 779e00ed 83c404 add esp,4 Information: The sketchup exception-handling filters wrong or manipulated file imports & mark them as not working(wrong.png). The PoC is not affected by the sketchup exception-handling & get through without any blocking exception-handling. Pictures: ../1.png ../2.png ../2.2-bex.png ../3.png ../wrong.png Analyses: ../AppCrash_SketchUp.exe_b7af0d96025b256cb43f14bb2184042bfdb54f4_114ea662 ../AppCrash_SketchUp.exe_b23e85cdd9cd939dfa22fccaf81865a57c03cb_12666c3f ../Crash Reports ../SketchUp5FMH3QI7.dmp ../SketchUpCTOP41M5.dmp ../bugsplat.log Proof of Concept (PoC): ======================= The vulnerability can be exploited by local attackers or remote attackers via high required user inter action. For demonstration or reproduce ... 9.012466 -7.460699e-014 32.20518 8.953292 -6.750156e-014 32.1395 9.053064 -4.973799e-014 32.37933 8.872076 -6.394885e-014 32.69951 8.781835 -4.263256e-014 33.29565 8.601355 -2.131628e-014 34.02728 PoC: ../PoC/poc.dae SIZE: 136kb Security Risk: ============== The security risk of the memory corruption vulnerability is estimated as medium. Credits & Authors: ================== Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory