Google SketchUp v8.x - Memory Corruption Vulnerability

2011-09-12T00:00:00
ID VULNERLAB:99
Type vulnerlab
Reporter Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)
Modified 2011-09-12T00:00:00

Description

                                        
                                            Document Title:
===============
Google SketchUp v8.x - Memory Corruption Vulnerability



Release Date:
=============
2011-09-12


Vulnerability Laboratory ID (VL-ID):
====================================
99


Product & Service Introduction:
===============================
Google SketchUp Pro is 3D modeling software for professionals. SketchUp is easy and intuitive, allowing anyone to model 
in 3D quickly and accurately. Using 3D models, designers can make more informed decisions, communicate project details, 
and share ideas with colleagues and customers to reach a common goal. SketchUp Pro includes LayOut, a 2D documentation 
and presentation tool for professionals. LayOut combines 3D models with text and 2D drawing elements to create design 
documents, construction drawings and compelling digital presentations.

(Copy of the Vendor Homepage: http://sketchup.google.com/intl/de/download/)


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered a Memory Corruption Vulnerability on Googles SketchUp Software v8.x.


Vulnerability Disclosure Timeline:
==================================
2011-09-13:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A Memory Corruption vulnerability is detected on the Google s SketchUp v8.x. The vulnerability is caused by an memory corruption when 
processing corrupt DAE files through the filter, which could be exploited by attackers to crash an affected/vulnerable application. 
Its also possible to execute maschine specific code by tricking a user into opening a special crafted (manipulated) DAE file. The bug 
is located in the configuration & transformation handling of .dae import function (module).

Vulnerable Module(s): 
			                    [+] DAE - Import


--- Bugsplat Logs ---
2011-07-24 20:20:55  Entered Unhandled Exception Filter
2011-07-24 20:20:55  Minidump file successfully saved    C:/Users/Rem0ve/AppData/Local/Temp/SketchUp4EKL42V3.dmp
2011-07-24 20:20:55  Launching BsSndRpt.exe              /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ 
2011-07-24 20:26:00  Entered Unhandled Exception Filter
2011-07-24 20:26:01  Minidump file successfully saved    C:/Users/Rem0ve/AppData/Local/Temp/SketchUpUHV15AH1.dmp
2011-07-24 20:26:01  Launching BsSndRpt.exe              /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ 
2011-07-24 20:26:53  Entered Unhandled Exception Filter
2011-07-24 20:26:54  Minidump file successfully saved    C:/Users/Rem0ve/AppData/Local/Temp/SketchUpGRD510S5.dmp
2011-07-24 20:26:54  Launching BsSndRpt.exe              /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ 
2011-07-24 20:35:51  Entered Unhandled Exception Filter
2011-07-24 20:35:51  Minidump file successfully saved    C:/Users/Rem0ve/AppData/Local/Temp/SketchUp4H214T15.dmp
2011-07-24 20:35:51  Launching BsSndRpt.exe              /BsSndRpt.exe/ /i /C:/Users/Rem0ve/AppData/Local/Temp/BsSndRpt.ini/ 


--- Sketchup Logs ---
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)
Commit(0)

--- Exception Logs ---
(10f4.dcc): C++ EH exception - code e06d7363 (first chance)
eax=0986ef50 ebx=08b05001 ecx=00000003 edx=00000000 esi=08cbf53c edi=090433d8
eip=75feb727 esp=0986ef50 ebp=0986efa0 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216
KERNELBASE!RaiseException+0x58:
75feb727 c9              
0:001> gn
(10f4.dcc): C++ EH exception - code e06d7363 (first chance)
eax=0986edfc ebx=08afce20 ecx=00000003 edx=00000000 esi=0986f4c0 edi=08f4b4b0
eip=75feb727 esp=0986edfc ebp=0986ee4c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
KERNELBASE!RaiseException+0x58:
75feb727 c9              
0:001> gn
(10f4.dcc): C++ EH exception - code e06d7363 (first chance)
eax=0986edfc ebx=08afce20 ecx=00000003 edx=00000000 esi=0986f4c0 edi=08f90bd0
eip=75feb727 esp=0986edfc ebp=0986ee4c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
KERNELBASE!RaiseException+0x58:
75feb727 c9              
0:001> g
eax=00000000 ebx=77a21c04 ecx=00000000 edx=00000000 esi=004da500 edi=00000000
eip=779e00ed esp=0672fc8c ebp=0672fe20 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!NtWaitForMultipleObjects+0x15:
779e00ed 83c404          add     esp,4


Information:
The sketchup exception-handling filters wrong or manipulated file imports & mark them as not working(wrong.png).
The PoC is not affected by the sketchup exception-handling & get through without any blocking exception-handling. 


Pictures:
			../1.png
			../2.png
			../2.2-bex.png
			../3.png
			../wrong.png

Analyses:
			../AppCrash_SketchUp.exe_b7af0d96025b256cb43f14bb2184042bfdb54f4_114ea662
			../AppCrash_SketchUp.exe_b23e85cdd9cd939dfa22fccaf81865a57c03cb_12666c3f
			../Crash Reports
			../SketchUp5FMH3QI7.dmp
			../SketchUpCTOP41M5.dmp
			../bugsplat.log


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local attackers or remote attackers via high required user inter action.
For demonstration or reproduce ...


</mesh>
</geometry>
<geometry id="ID98">
<mesh>
<source id="ID101">
<float_array id="ID103" count="18">9.012466 -7.460699e-014 32.20518 8.953292 -6.750156e-014 32.1395 9.053064 -4.973799e-014 
32.37933 8.872076 -6.394885e-014 32.69951 8.781835 -4.263256e-014 33.29565 8.601355 -2.131628e-014 34.02728</float_array>
     <technique_common>
     <accessor count="6" source="#ID103" stride="3">
               <param name="X" type="float" />
               <param name="Y" type="float" />
               <param name="CORRUPT" type="float" />
	       </accessor>
     </technique_common>


PoC:			../PoC/poc.dae
SIZE:			136kb


Security Risk:
==============
The security risk of the memory corruption vulnerability is estimated as medium.


Credits & Authors:
==================
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory