lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 24 Jul 2013 19:40:05 -0300
From: Felipe Manzano <feliam@...amuse.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>,
 bugtraq <bugtraq@...urityfocus.com>
Subject: CVE-2013-3665 - AutoCAD DWG-AC1021 Memory
	Corruption

Upgrade your autocad or DWG relatred software:

Original advisory:
http://usa.autodesk.com/adsk/servlet/ps/dl/item?id=21972896&linkID=9240618&siteID=123112

============================================
Title: AutoCAD DWG-AC1021 Heap Corruption
Product: Autodesk AutoCAD
Advisory ID: BINA-20130724
CVE ID: CVE-2013-3665
Class: Boundary Error Condition (Buffer Overflow)
Vulnerability class: Client side/ file format
Permalink: http://binamuse.com/advisories/BINA-20130724.txt
Vendor notified on: 2013-03-27
Patch/Fix Released: 2013-07-10
Advisory Published: 2013-07-24

Vulnerability Description:

 AutoCAD is a software for computer-aided design (CAD) and technical
drawing in
 2D/3D, being one of the world leading CAD design tools. It is developed and
 sold by Autodesk, Inc.

 AutoCad is vulnerable to an arbitrary pointer dereference vulnerability,
which
 can be exploited by malicious remote attackers to compromise a user's
system.
 This issue is due to AutoCad's failure to properly bounds-check data in a
DWG
 file before using it to index and copy heap memory values. This can be
exploi-
 ted to execute arbitrary code by opening a specially crafted DWG file,
version
 AC1021.

 This version was the native fileformat of AutoCAD Release 2007. New
versions of
 the format emerged but AC1021 is still supported in modern AutoCADs for
back-
 ward compatibility.

Vulnerable Packages:

 AutoCAD(R) 2014
 AutoCAD(R) 2013
 AutoCAD(R) 2012
 AutoCAD(R) 2011
 AutoCAD(R) Architecture 2014
 AutoCAD(R) Architecture 2013
 AutoCAD(R) Architecture 2012
 AutoCAD(R) Architecture 2011
 AutoCAD(R) Civil 3D(R) 2014
 AutoCAD(R) Civil 3D(R) 2013
 AutoCAD(R) Civil 3D(R) 2012
 AutoCAD(R) Civil 3D(R) 2011
 AutoCAD(R) ecscad 2014
 AutoCAD(R) ecscad 2013
 AutoCAD(R) ecscad 2012
 AutoCAD(R) ecscad 2011
 AutoCAD(R) Electrical 2014
 AutoCAD(R) Electrical 2013
 AutoCAD(R) Electrical 2012
 AutoCAD(R) Electrical 2011
 AutoCAD LT(R) 2014
 AutoCAD LT(R) 2013
 AutoCAD LT(R) 2012
 AutoCAD LT(R) 2011
 AutoCAD(R) Map 3D 2014
 AutoCAD(R) Map 3D 2013
 AutoCAD(R) Map 3D 2012
 AutoCAD(R) Map 3D 2011
 AutoCAD(R) Mechanical 2014
 AutoCAD(R) Mechanical 2013
 AutoCAD(R) Mechanical 2012
 AutoCAD(R) Mechanical 2011
 AutoCAD(R) MEP 2014
 AutoCAD(R) MEP 2013
 AutoCAD(R) MEP 2012
 AutoCAD(R) MEP 2011
 AutoCAD(R) P&ID 2014
 AutoCAD(R) P&ID 2013
 AutoCAD(R) P&ID 2012
 AutoCAD(R) P&ID 2011
 AutoCAD(R) Plant 3D 2014
 AutoCAD(R) Plant 3D 2013
 AutoCAD(R) Plant 3D 2012
 AutoCAD(R) Plant 3D 2011
 AutoCAD(R) Structural Detailing 2014
 AutoCAD(R) Structural Detailing 2013
 AutoCAD(R) Structural Detailing 2012
 AutoCAD(R) Structural Detailing 2011
 AutoCAD(R) Utility Design 2014
 AutoCAD(R) Utility Design 2012
 DWG TrueView(TM) 2014
 DWG TrueView(TM) 2013
 DWG TrueView(TM) 2012
 DWG TrueView(TM) 2011

Not Vulnerable Packages:

 None

Solution/Vendor Information/Workaround:

 http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe

Credits:

 This vulnerability was found by  Joshep J. Cortez Sanchez of the
 Binamuse Vulnerability Research Team, http://binamuse.com

Technical Description:

 The R2007 dwg format is composed by sections and pages. Sections come in
two
 flavors system sections and data sections. The system sections contain
informa-
 tion about where the data sections and their pages are in the file.

 The system sections are built based in two main data structures: a first
header
 and a second header. In addition, there are two important sections in the
file
 structure, the page map and the section map. Each one of this sections
should
 be decoded using Reed Solomon algorithm and optionally be compressed with a
 proprietary algorithm (which we will ignore).

 The file structure looks like this:


+------DWG-----------------------------------------------------------------+
  | +-----------------+                 +-------------+
+------------------+ |
  | |   1st Header    |                 |   Page Map  | |   Sections Map
| |
  | +--+--------------+                 +-------------+
+------------------+ |
  +--- |
--------------------------------------------------------------------+
       |

       | Reed Solomon

       |

  +----V--------------------------+      +-------------->|
  |
  |                               |      |               |
  |
  |        Header Values          |      |
+-------------------+
  |                               |      |               |   Page Count
 |
  +-------------------------------+      | Decompress
 +-------------------+
  |         Header CRC            |      |               |   Page Max ID
  |
  +-------------------------------+      |
+-------------------+
  |                               |      |               |
  |
  |        Second Header          |      |
+-------------------+
  |        (Compressed)           +------+               |   Page Map
Offset |
  |                               |
 +-------------------+
  +-------------------------------+                      |   Page Map Len
 |
  |      Second Header CRC        |
 +-------------------+
  +-------------------------------+                      |
  |

 The DWG R2007 also known as AC1021 is well documented by the reversing
effort
 of opendesign. For more detail on this please check http://opendesign.com


 AutoCAD starts by parsing the 1st header. Among other things it reads the
size
 and location of the 2nd header. From the second header it reads the
position in
 the file where the page map is stored, the number of pages present in the
file
 (Page Count) and the maximum page id (Page Max ID) a page shall have. The
page
 map is stored in a single system section page and it is composed by tuples
 (ID, Size) where ID is the page number.

  +-PageMap-------------+
  |    ID    |   Size   |
  +---------------------+
  |    ID    |   Size   |
  +---------------------+
  |    ID    |   Size   |
  +---------------------+

 When each PageMap node is read two data structures are updated, a double
linked
 list of page map nodes called PMapList and an id indexed array of node
pointers
 called PMapArray.

 PMapArray is an array of node pointers maintained for quick access of the
page
 map nodes. It maps the id to the actual page map node. A memory chunk of
 pages-maxid*sizeof(void*) bytes is allocated for it as declared in the 2nd
 header.

 The bug: When each new page map node is created its address is stored in
the
 corresponding id position of the PMapArray array without checking its
 boundaries. Thus, enabling an arbitrary heap offset overwrite with a
pointer
 to the recently created node.

REFERENCES:

 http://blog.binamuse.com/2013/07/autocad-dwg-ac1021-heap-corruption.html
 http://binamuse.com/advisories/BINA-20130724.txt

http://images.autodesk.com/adsk/files/Autodesk_AutoCAD_Code_Execution_Vulnerability_Hotfix_Readme.pdf
 http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe

DISCLAIMER:

 The content of this advisory are copyright (c) 2013 Binamuse Inc.
 and may be distributed freely provided that no fee is charged for this
 distribution and proper credit is given.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ