what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AutoCAD DWG-AC1021 Heap Corruption

AutoCAD DWG-AC1021 Heap Corruption
Posted Jul 24, 2013
Authored by Joshep J. Cortez Sanchez

AutoCAD DWG-AC1021 suffers from an arbitrary pointer dereference vulnerability that can be exploited to compromise a system.

tags | advisory, arbitrary
advisories | CVE-2013-3665
SHA-256 | 219a7db1a561eff423e65169d002771554f84e51f9e61f3996c00b73c866de51

AutoCAD DWG-AC1021 Heap Corruption

Change Mirror Download
============================================
Title: AutoCAD DWG-AC1021 Heap Corruption
Product: Autodesk AutoCAD
Advisory ID: BINA-20130724
CVE ID: CVE-2013-3665
Class: Boundary Error Condition (Buffer Overflow)
Vulnerability class: Client side/ file format
Permalink: http://binamuse.com/advisories/BINA-20130724.txt
Vendor notified on: 2013-03-27
Patch/Fix Released: 2013-07-10
Advisory Published: 2013-07-24

Vulnerability Description:

AutoCAD is a software for computer-aided design (CAD) and technical
drawing in
2D/3D, being one of the world leading CAD design tools. It is developed and
sold by Autodesk, Inc.

AutoCad is vulnerable to an arbitrary pointer dereference vulnerability,
which
can be exploited by malicious remote attackers to compromise a user's
system.
This issue is due to AutoCad's failure to properly bounds-check data in a
DWG
file before using it to index and copy heap memory values. This can be
exploi-
ted to execute arbitrary code by opening a specially crafted DWG file,
version
AC1021.

This version was the native fileformat of AutoCAD Release 2007. New
versions of
the format emerged but AC1021 is still supported in modern AutoCADs for
back-
ward compatibility.

Vulnerable Packages:

AutoCAD(R) 2014
AutoCAD(R) 2013
AutoCAD(R) 2012
AutoCAD(R) 2011
AutoCAD(R) Architecture 2014
AutoCAD(R) Architecture 2013
AutoCAD(R) Architecture 2012
AutoCAD(R) Architecture 2011
AutoCAD(R) Civil 3D(R) 2014
AutoCAD(R) Civil 3D(R) 2013
AutoCAD(R) Civil 3D(R) 2012
AutoCAD(R) Civil 3D(R) 2011
AutoCAD(R) ecscad 2014
AutoCAD(R) ecscad 2013
AutoCAD(R) ecscad 2012
AutoCAD(R) ecscad 2011
AutoCAD(R) Electrical 2014
AutoCAD(R) Electrical 2013
AutoCAD(R) Electrical 2012
AutoCAD(R) Electrical 2011
AutoCAD LT(R) 2014
AutoCAD LT(R) 2013
AutoCAD LT(R) 2012
AutoCAD LT(R) 2011
AutoCAD(R) Map 3D 2014
AutoCAD(R) Map 3D 2013
AutoCAD(R) Map 3D 2012
AutoCAD(R) Map 3D 2011
AutoCAD(R) Mechanical 2014
AutoCAD(R) Mechanical 2013
AutoCAD(R) Mechanical 2012
AutoCAD(R) Mechanical 2011
AutoCAD(R) MEP 2014
AutoCAD(R) MEP 2013
AutoCAD(R) MEP 2012
AutoCAD(R) MEP 2011
AutoCAD(R) P&ID 2014
AutoCAD(R) P&ID 2013
AutoCAD(R) P&ID 2012
AutoCAD(R) P&ID 2011
AutoCAD(R) Plant 3D 2014
AutoCAD(R) Plant 3D 2013
AutoCAD(R) Plant 3D 2012
AutoCAD(R) Plant 3D 2011
AutoCAD(R) Structural Detailing 2014
AutoCAD(R) Structural Detailing 2013
AutoCAD(R) Structural Detailing 2012
AutoCAD(R) Structural Detailing 2011
AutoCAD(R) Utility Design 2014
AutoCAD(R) Utility Design 2012
DWG TrueView(TM) 2014
DWG TrueView(TM) 2013
DWG TrueView(TM) 2012
DWG TrueView(TM) 2011

Not Vulnerable Packages:

None

Solution/Vendor Information/Workaround:

http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe

Credits:

This vulnerability was found by Joshep J. Cortez Sanchez of the
Binamuse Vulnerability Research Team, http://binamuse.com

Technical Description:

The R2007 dwg format is composed by sections and pages. Sections come in
two
flavors system sections and data sections. The system sections contain
informa-
tion about where the data sections and their pages are in the file.

The system sections are built based in two main data structures: a first
header
and a second header. In addition, there are two important sections in the
file
structure, the page map and the section map. Each one of this sections
should
be decoded using Reed Solomon algorithm and optionally be compressed with a
proprietary algorithm (which we will ignore).

The file structure looks like this:


+------DWG-----------------------------------------------------------------+
| +-----------------+ +-------------+
+------------------+ |
| | 1st Header | | Page Map | | Sections Map
| |
| +--+--------------+ +-------------+
+------------------+ |
+--- |
--------------------------------------------------------------------+
|

| Reed Solomon

|

+----V--------------------------+ +-------------->|
|
| | | |
|
| Header Values | |
+-------------------+
| | | | Page Count
|
+-------------------------------+ | Decompress
+-------------------+
| Header CRC | | | Page Max ID
|
+-------------------------------+ |
+-------------------+
| | | |
|
| Second Header | |
+-------------------+
| (Compressed) +------+ | Page Map
Offset |
| |
+-------------------+
+-------------------------------+ | Page Map Len
|
| Second Header CRC |
+-------------------+
+-------------------------------+ |
|

The DWG R2007 also known as AC1021 is well documented by the reversing
effort
of opendesign. For more detail on this please check http://opendesign.com


AutoCAD starts by parsing the 1st header. Among other things it reads the
size
and location of the 2nd header. From the second header it reads the
position in
the file where the page map is stored, the number of pages present in the
file
(Page Count) and the maximum page id (Page Max ID) a page shall have. The
page
map is stored in a single system section page and it is composed by tuples
(ID, Size) where ID is the page number.

+-PageMap-------------+
| ID | Size |
+---------------------+
| ID | Size |
+---------------------+
| ID | Size |
+---------------------+

When each PageMap node is read two data structures are updated, a double
linked
list of page map nodes called PMapList and an id indexed array of node
pointers
called PMapArray.

PMapArray is an array of node pointers maintained for quick access of the
page
map nodes. It maps the id to the actual page map node. A memory chunk of
pages-maxid*sizeof(void*) bytes is allocated for it as declared in the 2nd
header.

The bug: When each new page map node is created its address is stored in
the
corresponding id position of the PMapArray array without checking its
boundaries. Thus, enabling an arbitrary heap offset overwrite with a
pointer
to the recently created node.

REFERENCES:

http://blog.binamuse.com/2013/07/autocad-dwg-ac1021-heap-corruption.html
http://binamuse.com/advisories/BINA-20130724.txt

http://images.autodesk.com/adsk/files/Autodesk_AutoCAD_Code_Execution_Vulnerability_Hotfix_Readme.pdf
http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe

DISCLAIMER:

The content of this advisory are copyright (c) 2013 Binamuse Inc.
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close