Autodesk DWG TrueView Buffer Overflow

2014-06-3000:00:00

www.tenable.com

123

The remote host has an install of Autodesk DWG TrueView version 2011, 2012, 2013 or 2014, and thus is affected by an error related to the handling of DWG files.

The error exists due to a failure to properly bounds-check data in DWG files before using it to index and copy heap memory values. An attacker could exploit this issue by convincing a user to open a specially crafted DWG file which could result in arbitrary code execution.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(76308);
  script_version("1.3");
  script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2013-3665");
  script_bugtraq_id(61355);

  script_name(english:"Autodesk DWG TrueView Buffer Overflow");
  script_summary(english:"Checks Autodesk DWG TrueView version.");

  script_set_attribute(attribute:"synopsis", value:
"An application on the remote host is affected by a buffer overflow
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host has an install of Autodesk DWG TrueView version 2011,
2012, 2013 or 2014, and thus is affected by an error related to the
handling of DWG files.

The error exists due to a failure to properly bounds-check data in DWG
files before using it to index and copy heap memory values. An
attacker could exploit this issue by convincing a user to open a
specially crafted DWG file which could result in arbitrary code
execution.");
  script_set_attribute(attribute:"see_also", value:"http://blog.binamuse.com/2013/07/autocad-dwg-ac1021-heap-corruption.html");
  script_set_attribute(attribute:"see_also", value:"http://www.binamuse.com/advisories/BINA-20130724.txt");
  script_set_attribute(attribute:"see_also", value:"http://www.binamuse.com/exploits/BINA-20130724.py");
  script_set_attribute(attribute:"see_also", value:"http://www.binamuse.com/papers/ACADR2007Report.pdf");
  # https://knowledge.autodesk.com/support/dwg-trueview/downloads/caas/downloads/content/autodesk-C2-AE-autocad-C2-AE-code-execution-vulnerability--E2-80-93-security-hotfix.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a3a6da8b");
  # http://knowledge.autodesk.com/sites/default/files/file_downloads/AutoCAD_Code_Execution_Readme.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5e641599");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 18.1.75.0.0, 18.2.75.0.0, 19.0.75.0.0, 19.1.75.0.0
or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/30");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:autodesk:dwg_trueview");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("autodesk_dwg_trueview_installed.nbin");
  script_require_keys("SMB/Autodesk DWG TrueView/Installed");
  script_require_ports(139, 445);
  exit(0);

}

include("audit.inc");
include("global_settings.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/Autodesk DWG TrueView/Installed");
installs = get_kb_list_or_exit("SMB/Autodesk DWG TrueView/*/Version");
kb_entry = branch(keys(installs));
kb_base = kb_entry - "/Version";

prod_version = get_kb_item_or_exit(kb_entry);

path = get_kb_item_or_exit(kb_base + "/Path");
display_name = get_kb_item_or_exit(kb_base + "/Display_Name");

pieces = split(prod_version, sep:".", keep:FALSE);
major_ver = pieces[0];

# Check acdb.dll file version
exe = path + "\acdb" + major_ver + ".dll";
ver = hotfix_get_pversion(path:exe);
err_res = hotfix_handle_error(
  error_code   : ver['error'],
  file         : exe,
  appname      : display_name,
  exit_on_fail : TRUE
);
hotfix_check_fversion_end();

version = ver['value'];
fixed_version = FALSE;

# TrueView 2011 (18.1.0.0 and up)
if (version =~ "^18\.1\." && ver_compare(ver:version, fix:"18.1.75.0.0", strict:FALSE) < 0) 
  fixed_version = '18.1.75.0.0';

# TrueView 2012
else if (version =~ "^18\.2" && ver_compare(ver:version, fix:"18.2.75.0.0", strict:FALSE) < 0) 
  fixed_version = '18.2.75.0.0';

# TrueView 2013
else if (version =~ "^19\.0" && ver_compare(ver:version, fix:"19.0.75.0.0", strict:FALSE) < 0) 
  fixed_version = '19.0.75.0.0';

# TrueView 2014
else if (version =~ "^19\.1" && ver_compare(ver:version, fix:"19.1.75.0.0", strict:FALSE) < 0) 
  fixed_version = '19.1.75.0.0';


if (fixed_version)
{
  port = kb_smb_transport();

  if (report_verbosity > 0)
  {
    report += '\n  Product           : ' + display_name +
              '\n  Path              : ' + exe +
              '\n  Installed version : ' + version +
              '\n  Fixed version     : ' + fixed_version + '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
}
else audit(AUDIT_INST_VER_NOT_VULN, exe, version);

VendorProductVersionCPE
autodeskdwg_trueviewcpe:/a:autodesk:dwg_trueview

Vendor	Product	Version	CPE
autodesk	dwg_trueview		cpe:/a:autodesk:dwg_trueview

References

blog.binamuse.com/2013/07/autocad-dwg-ac1021-heap-corruption.html

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3665

www.binamuse.com/advisories/BINA-20130724.txt

www.binamuse.com/exploits/BINA-20130724.py

www.binamuse.com/papers/ACADR2007Report.pdf

www.nessus.org/u?5e641599

www.nessus.org/u?a3a6da8b

JSON

Related for AUTODESK_DWG_TRUEVIEW_OVERFLOW.NASL