exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Google SketchUp 8.x Memory Corruption

Google SketchUp 8.x Memory Corruption
Posted Sep 13, 2011
Authored by Benjamin Kunz Mejri, Vulnerability Laboratory | Site vulnerability-lab.com

Google SketchUp version 8.x suffers from a memory corruption vulnerability when processing malformed DAE files.

tags | advisory
SHA-256 | 3411767536cf9d6b2fb7141188de04b80de60ea989af8ff7a0b822590f2074a8

Google SketchUp 8.x Memory Corruption

Change Mirror Download
Title:
======
Google SketchUp v8.x - Memory Corruption Vulnerability


Date:
=====
2011-09-13



VL-ID:
=====
99


Introduction:
=============
Google SketchUp Pro is 3D modeling software for professionals. SketchUp is easy and intuitive, allowing anyone to model
in 3D quickly and accurately. Using 3D models, designers can make more informed decisions, communicate project details,
and share ideas with colleagues and customers to reach a common goal. SketchUp Pro includes LayOut, a 2D documentation
and presentation tool for professionals. LayOut combines 3D models with text and 2D drawing elements to create design
documents, construction drawings and compelling digital presentations.

(Copy of the Vendor Homepage: http://sketchup.google.com/intl/de/download/)


Abstract:
=========
Vulnerability-Lab Team discovered a Memory Corruption Vulnerability on Googles SketchUp Software v7.x.


Report-Timeline:
================
2011-09-13: Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================

Exploitation-Technique:
=======================
Local


Severity:
=========
Medium


Details:
========
A Memory Corruption vulnerability is detected on the Google s SketchUp v8.x. The vulnerability is caused by an memory corruption when
processing corrupt DAE files through the filter, which could be exploited by attackers to crash an affected/vulnerable application.
Its also possible to execute maschine specific code by tricking a user into opening a special crafted (manipulated) DAE file. The bug
is located in the configuration & transformation handling of .dae import function (module).

Vulnerable Module(s):
[+] DAE - Import


--- Bugsplat Logs ---
2011-07-24 20:20:55 Entered Unhandled Exception Filter
2011-07-24 20:20:55 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUp4EKL42V3.dmp
2011-07-24 20:20:55 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/
2011-07-24 20:26:00 Entered Unhandled Exception Filter
2011-07-24 20:26:01 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUpUHV15AH1.dmp
2011-07-24 20:26:01 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/
2011-07-24 20:26:53 Entered Unhandled Exception Filter
2011-07-24 20:26:54 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUpGRD510S5.dmp
2011-07-24 20:26:54 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/
2011-07-24 20:35:51 Entered Unhandled Exception Filter
2011-07-24 20:35:51 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUp4H214T15.dmp
2011-07-24 20:35:51 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/


--- Sketchup Logs ---
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)

--- Exception Logs ---
(10f4.dcc): C++ EH exception - code e06d7363 (first chance)
eax=0986ef50 ebx=08b05001 ecx=00000003 edx=00000000 esi=08cbf53c edi=090433d8
eip=75feb727 esp=0986ef50 ebp=0986efa0 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
KERNELBASE!RaiseException+0x58:
75feb727 c9
0:001> gn
(10f4.dcc): C++ EH exception - code e06d7363 (first chance)
eax=0986edfc ebx=08afce20 ecx=00000003 edx=00000000 esi=0986f4c0 edi=08f4b4b0
eip=75feb727 esp=0986edfc ebp=0986ee4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
KERNELBASE!RaiseException+0x58:
75feb727 c9
0:001> gn
(10f4.dcc): C++ EH exception - code e06d7363 (first chance)
eax=0986edfc ebx=08afce20 ecx=00000003 edx=00000000 esi=0986f4c0 edi=08f90bd0
eip=75feb727 esp=0986edfc ebp=0986ee4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
KERNELBASE!RaiseException+0x58:
75feb727 c9
0:001> g
eax=00000000 ebx=77a21c04 ecx=00000000 edx=00000000 esi=004da500 edi=00000000
eip=779e00ed esp=0672fc8c ebp=0672fe20 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!NtWaitForMultipleObjects+0x15:
779e00ed 83c404 add esp,4


Information:
The sketchup exception-handling filters wrong or manipulated file imports & mark them as not working(wrong.png).
The PoC is not affected by the sketchup exception-handling & get through without any blocking exception-handling.


Pictures:
../1.png
../2.png
../2.2-bex.png
../3.png
../wrong.png

Analyses:
../AppCrash_SketchUp.exe_b7af0d96025b256cb43f14bb2184042bfdb54f4_114ea662
../AppCrash_SketchUp.exe_b23e85cdd9cd939dfa22fccaf81865a57c03cb_12666c3f
../Crash Reports
../SketchUp5FMH3QI7.dmp
../SketchUpCTOP41M5.dmp
../bugsplat.log


Risk:
=====
The security risk of the memory corruption vulnerability is estimated as medium.


Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close