Autodesk AutoCAD/AutoCAD LT/DWG TrueView 任意代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1166947 漏洞类型 输入验证
发布时间 2013-07-18 更新时间 2013-07-18
CVE编号 CVE-2013-3665 CNNVD-ID CNNVD-201307-407
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://www.securityfocus.com/bid/61355
https://cxsecurity.com/issue/WLB-2013070191
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201307-407
|漏洞详情
AutodeskAutoCAD和AutoCADLT都是美国欧特克(Autodesk)公司的绘图软件。LTDWGTrueView是一款CAD查看软件。AutodeskAutoCAD2014及之前的版本,AutoCADLT2014及之前的版本,DWGTrueView2014及之前的版本中存在安全漏洞。远程攻击者可通过加载特制的DWG文件利用该漏洞执行任意代码。
|漏洞EXP
pgrade your autocad or DWG relatred software:

Original advisory:
http://usa.autodesk.com/adsk/servlet/ps/dl/item?id=21972896&linkID=9240618&siteID=123112

============================================
Title: AutoCAD DWG-AC1021 Heap Corruption
Product: Autodesk AutoCAD
Advisory ID: BINA-20130724
CVE ID: CVE-2013-3665
Class: Boundary Error Condition (Buffer Overflow)
Vulnerability class: Client side/ file format
Permalink: http://binamuse.com/advisories/BINA-20130724.txt
Vendor notified on: 2013-03-27
Patch/Fix Released: 2013-07-10
Advisory Published: 2013-07-24

Vulnerability Description:

 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the world leading CAD design tools. It is developed and sold by Autodesk, Inc.

 AutoCad is vulnerable to an arbitrary pointer dereference vulnerability, which
 can be exploited by malicious remote attackers to compromise a user's system.
 This issue is due to AutoCad's failure to properly bounds-check data in a DWG
 file before using it to index and copy heap memory values. This can be exploi-
 ted to execute arbitrary code by opening a specially crafted DWG file, version
 AC1021.

 This version was the native fileformat of AutoCAD Release 2007. New versions of
 the format emerged but AC1021 is still supported in modern AutoCADs for
back-
 ward compatibility.

Vulnerable Packages:

 AutoCAD(R) 2014
 AutoCAD(R) 2013
 AutoCAD(R) 2012
 AutoCAD(R) 2011
 AutoCAD(R) Architecture 2014
 AutoCAD(R) Architecture 2013
 AutoCAD(R) Architecture 2012
 AutoCAD(R) Architecture 2011
 AutoCAD(R) Civil 3D(R) 2014
 AutoCAD(R) Civil 3D(R) 2013
 AutoCAD(R) Civil 3D(R) 2012
 AutoCAD(R) Civil 3D(R) 2011
 AutoCAD(R) ecscad 2014
 AutoCAD(R) ecscad 2013
 AutoCAD(R) ecscad 2012
 AutoCAD(R) ecscad 2011
 AutoCAD(R) Electrical 2014
 AutoCAD(R) Electrical 2013
 AutoCAD(R) Electrical 2012
 AutoCAD(R) Electrical 2011
 AutoCAD LT(R) 2014
 AutoCAD LT(R) 2013
 AutoCAD LT(R) 2012
 AutoCAD LT(R) 2011
 AutoCAD(R) Map 3D 2014
 AutoCAD(R) Map 3D 2013
 AutoCAD(R) Map 3D 2012
 AutoCAD(R) Map 3D 2011
 AutoCAD(R) Mechanical 2014
 AutoCAD(R) Mechanical 2013
 AutoCAD(R) Mechanical 2012
 AutoCAD(R) Mechanical 2011
 AutoCAD(R) MEP 2014
 AutoCAD(R) MEP 2013
 AutoCAD(R) MEP 2012
 AutoCAD(R) MEP 2011
 AutoCAD(R) P&ID 2014
 AutoCAD(R) P&ID 2013
 AutoCAD(R) P&ID 2012
 AutoCAD(R) P&ID 2011
 AutoCAD(R) Plant 3D 2014
 AutoCAD(R) Plant 3D 2013
 AutoCAD(R) Plant 3D 2012
 AutoCAD(R) Plant 3D 2011
 AutoCAD(R) Structural Detailing 2014
 AutoCAD(R) Structural Detailing 2013
 AutoCAD(R) Structural Detailing 2012
 AutoCAD(R) Structural Detailing 2011
 AutoCAD(R) Utility Design 2014
 AutoCAD(R) Utility Design 2012
 DWG TrueView(TM) 2014
 DWG TrueView(TM) 2013
 DWG TrueView(TM) 2012
 DWG TrueView(TM) 2011

Not Vulnerable Packages:

 None

Solution/Vendor Information/Workaround:

 http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe

Credits:

 This vulnerability was found by  Joshep J. Cortez Sanchez of the
 Binamuse Vulnerability Research Team, http://binamuse.com

Technical Description:

 The R2007 dwg format is composed by sections and pages. Sections come in
two
 flavors system sections and data sections. The system sections contain
informa-
 tion about where the data sections and their pages are in the file.

 The system sections are built based in two main data structures: a first
header
 and a second header. In addition, there are two important sections in the
file
 structure, the page map and the section map. Each one of this sections
should
 be decoded using Reed Solomon algorithm and optionally be compressed with a
 proprietary algorithm (which we will ignore).

 The file structure looks like this:


+------DWG-----------------------------------------------------------------+
  | +-----------------+                 +-------------+
+------------------+ |
  | |   1st Header    |                 |   Page Map  | |   Sections Map
| |
  | +--+--------------+                 +-------------+
+------------------+ |
  +--- |
--------------------------------------------------------------------+
       |

       | Reed Solomon

       |

  +----V--------------------------+      +-------------->|
  |
  |                               |      |               |
  |
  |        Header Values          |      |
+-------------------+
  |                               |      |               |   Page Count
 |
  +-------------------------------+      | Decompress
 +-------------------+
  |         Header CRC            |      |               |   Page Max ID
  |
  +-------------------------------+      |
+-------------------+
  |                               |      |               |
  |
  |        Second Header          |      |
+-------------------+
  |        (Compressed)           +------+               |   Page Map
Offset |
  |                               |
 +-------------------+
  +-------------------------------+                      |   Page Map Len
 |
  |      Second Header CRC        |
 +-------------------+
  +-------------------------------+                      |
  |

 The DWG R2007 also known as AC1021 is well documented by the reversing
effort
 of opendesign. For more detail on this please check http://opendesign.com


 AutoCAD starts by parsing the 1st header. Among other things it reads the
size and location of the 2nd header. From the second header it reads the
position in
 the file where the page map is stored, the number of pages present in the
file
 (Page Count) and the maximum page id (Page Max ID) a page shall have. The
page
 map is stored in a single system section page and it is composed by tuples
 (ID, Size) where ID is the page number.

  +-PageMap-------------+
  |    ID    |   Size   |
  +---------------------+
  |    ID    |   Size   |
  +---------------------+
  |    ID    |   Size   |
  +---------------------+

 When each PageMap node is read two data structures are updated, a double
linked list of page map nodes called PMapList and an id indexed array of node
pointers called PMapArray.

 PMapArray is an array of node pointers maintained for quick access of the
page map nodes. It maps the id to the actual page map node. A memory chunk of
 pages-maxid*sizeof(void*) bytes is allocated for it as declared in the 2nd
 header.

 The bug: When each new page map node is created its address is stored in
the corresponding id position of the PMapArray array without checking its
 boundaries. Thus, enabling an arbitrary heap offset overwrite with a
pointer to the recently created node.

REFERENCES:

 http://blog.binamuse.com/2013/07/autocad-dwg-ac1021-heap-corruption.html
 http://binamuse.com/advisories/BINA-20130724.txt

http://images.autodesk.com/adsk/files/Autodesk_AutoCAD_Code_Execution_Vulnerability_Hotfix_Readme.pdf
 http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe

DISCLAIMER:

 The content of this advisory are copyright (c) 2013 Binamuse Inc.
 and may be distributed freely provided that no fee is charged for this
 distribution and proper credit is given.
|受影响的产品
Autodesk DWG TrueView 2013 0 Autodesk DWG TrueView 2012 0 Autodesk DWG TrueView 2011 0 Autodesk Autodesk DWG TrueView 2014 0 Autodesk Autodesk AutoCAD Utility Design 2014 0
|参考资料

来源:usa.autodesk.com
链接:http://usa.autodesk.com/adsk/servlet/ps/dl/item?id=21972896&linkID=9240618&siteID=123112
来源:images.autodesk.com
链接:http://images.autodesk.com/adsk/files/Autodesk_AutoCAD_Code_Execution_Vulnerability_Hotfix_Readme.pdf