Details:
========
A Memory Corruption vulnerability is detected on the Google s SketchUp v8.x. The vulnerability is caused by an memory corruption when
processing corrupt DAE files through the filter, which could be exploited by attackers to crash an affected/vulnerable application.
Its also possible to execute maschine specific code by tricking a user into opening a special crafted (manipulated) DAE file. The bug
is located in the configuration & transformation handling of .dae import function (module).
Vulnerable Module(s):
[+] DAE – Import
— Bugsplat Logs —
2011-07-24 20:20:55 Entered Unhandled Exception Filter
2011-07-24 20:20:55 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUp4EKL42V3.dmp
2011-07-24 20:20:55 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/
2011-07-24 20:26:00 Entered Unhandled Exception Filter
2011-07-24 20:26:01 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUpUHV15AH1.dmp
2011-07-24 20:26:01 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/
2011-07-24 20:26:53 Entered Unhandled Exception Filter
2011-07-24 20:26:54 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUpGRD510S5.dmp
2011-07-24 20:26:54 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/
2011-07-24 20:35:51 Entered Unhandled Exception Filter
2011-07-24 20:35:51 Minidump file successfully saved C:/Users/Rem0ve/AppData/Local/Temp/SketchUp4H214T15.dmp
2011-07-24 20:35:51 Launching BsSndRpt.exe /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/
— Sketchup Logs —
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
— Exception Logs —
(10f4.dcc): C++ EH exception – code e06d7363 (first chance)
eax=0986ef50 ebx=08b05001 ecx=00000003 edx=00000000 esi=08cbf53c edi=090433d8
eip=75feb727 esp=0986ef50 ebp=0986efa0 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
KERNELBASE!RaiseException+0x58:
75feb727 c9
0:001> gn
(10f4.dcc): C++ EH exception – code e06d7363 (first chance)
eax=0986edfc ebx=08afce20 ecx=00000003 edx=00000000 esi=0986f4c0 edi=08f4b4b0
eip=75feb727 esp=0986edfc ebp=0986ee4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
KERNELBASE!RaiseException+0x58:
75feb727 c9
0:001> gn
(10f4.dcc): C++ EH exception – code e06d7363 (first chance)
eax=0986edfc ebx=08afce20 ecx=00000003 edx=00000000 esi=0986f4c0 edi=08f90bd0
eip=75feb727 esp=0986edfc ebp=0986ee4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
KERNELBASE!RaiseException+0x58:
75feb727 c9
0:001> g
eax=00000000 ebx=77a21c04 ecx=00000000 edx=00000000 esi=004da500 edi=00000000
eip=779e00ed esp=0672fc8c ebp=0672fe20 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!NtWaitForMultipleObjects+0x15:
779e00ed 83c404 add esp,4
Information:
The sketchup exception-handling filters wrong or manipulated file imports & mark them as not working(wrong.png).
The PoC is not affected by the sketchup exception-handling & get through without any blocking exception-handling.
Pictures:
../1.png
../2.png
../2.2-bex.png
../3.png
../wrong.png
Analyses:
../AppCrash_SketchUp.exe_b7af0d96025b256cb43f14bb2184042bfdb54f4_114ea662
../AppCrash_SketchUp.exe_b23e85cdd9cd939dfa22fccaf81865a57c03cb_12666c3f
../Crash Reports
../SketchUp5FMH3QI7.dmp
../SketchUpCTOP41M5.dmp
../bugsplat.log
0 条评论。