Google SketchUp 8.x Memory Corruption

Google SketchUp 8.x Memory Corruption: Posted Sep 13, 2011; Authored by Benjamin Kunz Mejri, Vulnerability Laboratory | Site vulnerability-lab.com; Google SketchUp version 8.x suffers from a memory corruption vulnerability when processing malformed DAE files.; tags | advisory; SHA-256 | 3411767536cf9d6b2fb7141188de04b80de60ea989af8ff7a0b822590f2074a8; Download | Favorite | View

Google SketchUp 8.x Memory Corruption

Title:
======
Google SketchUp v8.x - Memory Corruption Vulnerability


Date:
=====
2011-09-13



VL-ID:
=====
99


Introduction:
=============
Google SketchUp Pro is 3D modeling software for professionals. SketchUp is easy and intuitive, allowing anyone to model 
in 3D quickly and accurately. Using 3D models, designers can make more informed decisions, communicate project details, 
and share ideas with colleagues and customers to reach a common goal. SketchUp Pro includes LayOut, a 2D documentation 
and presentation tool for professionals. LayOut combines 3D models with text and 2D drawing elements to create design 
documents, construction drawings and compelling digital presentations.

(Copy of the Vendor Homepage: http://sketchup.google.com/intl/de/download/)


Abstract:
=========
Vulnerability-Lab Team discovered a Memory Corruption Vulnerability on Googles SketchUp Software v7.x.


Report-Timeline:
================
2011-09-13:  Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================

Exploitation-Technique:
=======================
Local


Severity:
=========
Medium


Details:
========
A Memory Corruption vulnerability is detected on the Google s SketchUp v8.x. The vulnerability is caused by an memory corruption when 
processing corrupt DAE files through the filter, which could be exploited by attackers to crash an affected/vulnerable application. 
Its also possible to execute maschine specific code by tricking a user into opening a special crafted (manipulated) DAE file. The bug 
is located in the configuration & transformation handling of .dae import function (module).

Vulnerable Module(s): 
                          [+] DAE - Import


--- Bugsplat Logs ---
2011-07-24 20:20:55  Entered Unhandled Exception Filter
2011-07-24 20:20:55  Minidump file successfully saved    C:/Users/Rem0ve/AppData/Local/Temp/SketchUp4EKL42V3.dmp
2011-07-24 20:20:55  Launching BsSndRpt.exe              /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ 
2011-07-24 20:26:00  Entered Unhandled Exception Filter
2011-07-24 20:26:01  Minidump file successfully saved    C:/Users/Rem0ve/AppData/Local/Temp/SketchUpUHV15AH1.dmp
2011-07-24 20:26:01  Launching BsSndRpt.exe              /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ 
2011-07-24 20:26:53  Entered Unhandled Exception Filter
2011-07-24 20:26:54  Minidump file successfully saved    C:/Users/Rem0ve/AppData/Local/Temp/SketchUpGRD510S5.dmp
2011-07-24 20:26:54  Launching BsSndRpt.exe              /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ 
2011-07-24 20:35:51  Entered Unhandled Exception Filter
2011-07-24 20:35:51  Minidump file successfully saved    C:/Users/Rem0ve/AppData/Local/Temp/SketchUp4H214T15.dmp
2011-07-24 20:35:51  Launching BsSndRpt.exe              /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ 


--- Sketchup Logs ---
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)

--- Exception Logs ---
(10f4.dcc): C++ EH exception - code e06d7363 (first chance)
eax=0986ef50 ebx=08b05001 ecx=00000003 edx=00000000 esi=08cbf53c edi=090433d8
eip=75feb727 esp=0986ef50 ebp=0986efa0 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216
KERNELBASE!RaiseException+0x58:
75feb727 c9              
0:001> gn
(10f4.dcc): C++ EH exception - code e06d7363 (first chance)
eax=0986edfc ebx=08afce20 ecx=00000003 edx=00000000 esi=0986f4c0 edi=08f4b4b0
eip=75feb727 esp=0986edfc ebp=0986ee4c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
KERNELBASE!RaiseException+0x58:
75feb727 c9              
0:001> gn
(10f4.dcc): C++ EH exception - code e06d7363 (first chance)
eax=0986edfc ebx=08afce20 ecx=00000003 edx=00000000 esi=0986f4c0 edi=08f90bd0
eip=75feb727 esp=0986edfc ebp=0986ee4c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
KERNELBASE!RaiseException+0x58:
75feb727 c9              
0:001> g
eax=00000000 ebx=77a21c04 ecx=00000000 edx=00000000 esi=004da500 edi=00000000
eip=779e00ed esp=0672fc8c ebp=0672fe20 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!NtWaitForMultipleObjects+0x15:
779e00ed 83c404          add     esp,4


Information:
The sketchup exception-handling filters wrong or manipulated file imports & mark them as not working(wrong.png).
The PoC is not affected by the sketchup exception-handling & get through without any blocking exception-handling. 


Pictures:
      ../1.png
      ../2.png
      ../2.2-bex.png
      ../3.png
      ../wrong.png

Analyses:
      ../AppCrash_SketchUp.exe_b7af0d96025b256cb43f14bb2184042bfdb54f4_114ea662
      ../AppCrash_SketchUp.exe_b23e85cdd9cd939dfa22fccaf81865a57c03cb_12666c3f
      ../Crash Reports
      ../SketchUp5FMH3QI7.dmp
      ../SketchUpCTOP41M5.dmp
      ../bugsplat.log


Risk:
=====
The security risk of the memory corruption vulnerability is estimated as medium.


Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

Top Authors In Last 30 Days

Red Hat 223 files
Ubuntu 61 files
Debian 20 files
LiquidWorm 20 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,160)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,842)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,249)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,975)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

Google SketchUp 8.x Memory Corruption

Google SketchUp 8.x Memory Corruption

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Google SketchUp 8.x Memory Corruption

Share This

Google SketchUp 8.x Memory Corruption

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems