ID ZDI-15-620 Type zdi Reporter kdot Modified 2015-11-09T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of GIF files. The issue lies in the failure to handle the case when the GlobalColorTable is present despite not being specified. An attacker could leverage this vulnerability to execute code within the context of the current process.
{"enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "vulnersScore": 9.3}, "edition": 2, "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-620", "modified": "2015-11-09T00:00:00", "published": "2015-12-08T00:00:00", "history": [{"differentElements": ["modified"], "edition": 1, "lastseen": "2016-09-04T11:33:54", "bulletin": {"published": "2015-12-08T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-620", "modified": "2015-09-04T00:00:00", "edition": 1, "history": [], "bulletinFamily": "info", "viewCount": 1, "objectVersion": "1.2", "hash": "46b876da24806983a1e8f4187671eb0b8e0299940dc49ece91625c2600a9144a", "title": "Autodesk Design Review GIF GlobalColorTable Buffer Overflow Remote Code Execution Vulnerability", "references": ["https://knowledge.autodesk.com/support/design-review/downloads/caas/downloads/content/autodesk-design-review-2013-hotfix.html"], "cvelist": ["CVE-2015-8572"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of GIF files. The issue lies in the failure to handle the case when the GlobalColorTable is present despite not being specified. An attacker could leverage this vulnerability to execute code within the context of the current process.", "type": "zdi", "id": "ZDI-15-620", "lastseen": "2016-09-04T11:33:54", "reporter": "kdot", "hashmap": [{"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "4783d05d9c31996002206accb4d9274a", "key": "published"}, {"hash": "765958787dfb167bb4e2a50bca76c7ad", "key": "href"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "20746f977a612e0bc8404b348c9be4f3", "key": "cvelist"}, {"hash": "fe1451157ae212a200b0c076d5db6566", "key": "description"}, {"hash": "0dd30a11a548a7f52372b214f0e06bc1", "key": "reporter"}, {"hash": "e824a351009e908de42c9c637460f5e0", "key": "title"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "399367e0138962a3ef7b1142fac65281", "key": "modified"}, {"hash": "eeaf1769bc115b91af94892f4f772329", "key": "references"}], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}}], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of GIF files. The issue lies in the failure to handle the case when the GlobalColorTable is present despite not being specified. An attacker could leverage this vulnerability to execute code within the context of the current process.", "bulletinFamily": "info", "viewCount": 11, "objectVersion": "1.2", "hash": "59f119f27996fab4d9dcf726396907cc8a5c80bb0943919d73d0314aef541790", "title": "Autodesk Design Review GIF GlobalColorTable Buffer Overflow Remote Code Execution Vulnerability", "references": ["https://knowledge.autodesk.com/support/design-review/downloads/caas/downloads/content/autodesk-design-review-2013-hotfix.html"], "cvelist": ["CVE-2015-8572"], "type": "zdi", "id": "ZDI-15-620", "lastseen": "2016-11-09T00:17:56", "reporter": "kdot", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "20746f977a612e0bc8404b348c9be4f3", "key": "cvelist"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "fe1451157ae212a200b0c076d5db6566", "key": "description"}, {"hash": "765958787dfb167bb4e2a50bca76c7ad", "key": "href"}, {"hash": "50c7c1afd5da60ac021006aa5ae02a63", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "4783d05d9c31996002206accb4d9274a", "key": "published"}, {"hash": "eeaf1769bc115b91af94892f4f772329", "key": "references"}, {"hash": "0dd30a11a548a7f52372b214f0e06bc1", "key": "reporter"}, {"hash": "e824a351009e908de42c9c637460f5e0", "key": "title"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}
{"cve": [{"lastseen": "2016-09-03T23:26:08", "references": ["https://knowledge.autodesk.com/support/design-review/downloads/caas/downloads/content/autodesk-design-review-2013-hotfix.html", "http://www.zerodayinitiative.com/advisories/ZDI-15-616", "http://www.zerodayinitiative.com/advisories/ZDI-15-620", "http://www.zerodayinitiative.com/advisories/ZDI-15-618", "http://www.zerodayinitiative.com/advisories/ZDI-15-615", "http://www.zerodayinitiative.com/advisories/ZDI-15-619"], "edition": 1, "description": "Multiple buffer overflows in Autodesk Design Review (ADR) before 2013 Hotfix 2 allow remote attackers to execute arbitrary code via crafted RLE data in a (1) BMP or (2) FLI file, (3) encoded scan lines in a PCX file, or (4) DataSubBlock or (5) GlobalColorTable in a GIF file.", "reporter": "NVD", "published": "2015-12-15T16:59:13", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "CVE-2015-8572", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2015-8572"], "scanner": [], "modified": "2015-12-16T14:55:09", "cpe": ["cpe:/a:autodesk:design_review:2013"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8572", "id": "CVE-2015-8572", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:11", "references": ["https://knowledge.autodesk.com/support/design-review/downloads/caas/downloads/content/autodesk-design-review-2013-hotfix.html"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of PCX files. The issue lies in the failure to decode scan lines within the bounds of the allocated buffer. An attacker could leverage this vulnerability to execute code within the context of the current process.", "reporter": "kdot", "published": "2015-12-08T00:00:00", "title": "Autodesk Design Review PCX Buffer Overflow Remote Code Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2015-8572"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-618", "id": "ZDI-15-618", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:01", "references": ["https://knowledge.autodesk.com/support/design-review/downloads/caas/downloads/content/autodesk-design-review-2013-hotfix.html"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of BMP files. The issue lies in the failure to ensure that run-length encoded data does not write outside the bounds of the allocated buffer. An attacker could leverage this vulnerability to execute code within the context of the current process.", "reporter": "kdot", "published": "2015-12-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Autodesk Design Review BMP RLE Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2015-8572"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-615", "id": "ZDI-15-615", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:17:56", "references": ["https://knowledge.autodesk.com/support/design-review/downloads/caas/downloads/content/autodesk-design-review-2013-hotfix.html"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of GIF files. The issue lies in the failure to ensure that the DataSubBlock sizes are valid. An attacker could leverage this vulnerability to execute code within the context of the current process.", "reporter": "kdot", "published": "2015-12-08T00:00:00", "title": "Autodesk Design Review GIF DataSubBlock Buffer Overflow Remote Code Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2015-8572"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-619", "id": "ZDI-15-619", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:04", "references": ["https://knowledge.autodesk.com/support/design-review/downloads/caas/downloads/content/autodesk-design-review-2013-hotfix.html"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of FLI files. The issue lies in the failure to ensure that run-length encoded data does not write outside the bounds of the allocated buffer. An attacker could leverage this vulnerability to execute code within the context of the current process.", "reporter": "kdot", "published": "2015-12-08T00:00:00", "title": "Autodesk Design Review FLI RLE Buffer Overflow Remote Code Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2015-8572"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-616", "id": "ZDI-15-616", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "kaspersky": [{"lastseen": "2019-01-14T08:07:39", "references": [], "description": "### *CVSS*:\n6.8\n\n### *Detect date*:\n10/28/2015\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Autodesk Design Review. Malicious users can exploit these vulnerabilities to execute arbitrary code.\n\n### *Affected products*:\nAutodesk Design Review versions earlier than 2013 with hotfix 2\n\n### *Solution*:\nIf you use older version you must update to 2013 and install hotfix. If you already use 2013 version \u2013 install hotfix \n[Autodesk Design Review 2013](<http://usa.autodesk.com/design-review/download/>) \n[Autodesk Design Review hotfix](<https://knowledge.autodesk.com/support/design-review/downloads/caas/downloads/content/autodesk-design-review-2013-hotfix.html>)\n\n### *Original advisories*:\n[Autodesk hotfix note](<https://knowledge.autodesk.com/support/design-review/downloads/caas/downloads/content/autodesk-design-review-2013-hotfix.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Autodesk Design Review](<https://threats.kaspersky.com/en/product/Autodesk-Design-Review/>)\n\n### *CVE-IDS*:\n[CVE-2015-8571](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8571>) \n[CVE-2015-8572](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8572>)", "edition": 31, "reporter": "Kaspersky Lab", "published": "2015-10-28T00:00:00", "title": "\r KLA10725Code execution vulnerabilities in Aurodesk Design Review ", "type": "kaspersky", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "info", "cvelist": ["CVE-2015-8572", "CVE-2015-8571"], "modified": "2019-01-04T00:00:00", "id": "KLA10725", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10725", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-01-16T20:23:03", "references": ["https://www.zerodayinitiative.com/advisories/ZDI-15-618/", "https://www.zerodayinitiative.com/advisories/ZDI-15-616/", "https://www.zerodayinitiative.com/advisories/ZDI-15-617/", "https://www.zerodayinitiative.com/advisories/ZDI-15-615/", "https://www.zerodayinitiative.com/advisories/ZDI-15-619/", "http://www.nessus.org/u?737f5f11", "https://www.zerodayinitiative.com/advisories/ZDI-15-620/"], "pluginID": "87766", "description": "The version of Autodesk Design Review installed on the remote Windows\nhost is prior to 2013 Hotfix 2. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - An integer overflow condition exists due to improper\n handling of BMP images. A remote attacker can exploit\n this, via a crafted 'biClrUsed' value in a BMP file, to\n trigger a buffer overflow, resulting in the execution of\n arbitrary code. (CVE-2015-8571)\n\n - Multiple buffer overflow conditions exist due to\n improper validation of user-supplied input. A remote\n attacker can exploit this, via crafted data in BMP, FLI,\n and GIF files, to execute arbitrary code.\n (CVE-2015-8572)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 8, "reporter": "Tenable", "published": "2016-01-06T00:00:00", "title": "Autodesk Design Review < 2013 Hotfix 2 Multiple RCE", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8572", "CVE-2015-8571"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:autodesk:design_review"], "id": "AUTODESK_DR_2013_HOTFIX_2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87766", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87766);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2015-8571\", \"CVE-2015-8572\");\n script_bugtraq_id(79800, 79803);\n script_xref(name:\"ZDI\", value:\"ZDI-15-615\");\n script_xref(name:\"ZDI\", value:\"ZDI-15-616\");\n script_xref(name:\"ZDI\", value:\"ZDI-15-617\");\n script_xref(name:\"ZDI\", value:\"ZDI-15-618\");\n script_xref(name:\"ZDI\", value:\"ZDI-15-619\");\n script_xref(name:\"ZDI\", value:\"ZDI-15-620\");\n\n script_name(english:\"Autodesk Design Review < 2013 Hotfix 2 Multiple RCE\");\n script_summary(english:\"Checks the version of Autodesk Design Review.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application installed that is affected\nby multiple remote code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Autodesk Design Review installed on the remote Windows\nhost is prior to 2013 Hotfix 2. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - An integer overflow condition exists due to improper\n handling of BMP images. A remote attacker can exploit\n this, via a crafted 'biClrUsed' value in a BMP file, to\n trigger a buffer overflow, resulting in the execution of\n arbitrary code. (CVE-2015-8571)\n\n - Multiple buffer overflow conditions exist due to\n improper validation of user-supplied input. A remote\n attacker can exploit this, via crafted data in BMP, FLI,\n and GIF files, to execute arbitrary code.\n (CVE-2015-8572)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-15-615/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-15-616/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-15-617/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-15-618/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-15-619/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-15-620/\");\n # https://knowledge.autodesk.com/support/design-review/downloads/caas/downloads/content/autodesk-design-review-2013-hotfix.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?737f5f11\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Hotfix 2 to Autodesk Design Review 2013.\n\nNote that older versions will need to be updated to 2013 before\napplying the hotfix.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:autodesk:design_review\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"autodesk_dr_installed.nbin\");\n script_require_keys(\"installed_sw/Autodesk Design Review\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\n\napp = \"Autodesk Design Review\";\n\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nfixed = '13.2.0.82';\n\nif (ver_compare(ver:version, fix:fixed, strict:FALSE) == -1)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, path, version);\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
