Zero Science Lab » Google SketchUp Pro 7.0 (.skp file) Remote Stack Overflow PoC

Google SketchUp Pro 7.0 (.skp file) Remote Stack Overflow PoC

Title: Google SketchUp Pro 7.0 (.skp file) Remote Stack Overflow PoC
Advisory ID: ZSL-2009-4924
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 01.08.2009

Summary

Google SketchUp Pro 7 is a suite of powerful features and applications for streamlining your professional 3D workflow.

Description

Google SketchUp Pro 7.0 suffers from a stack overflow vulnerability. It fails to handle the .skp file format resulting in crash overflowing the memory stack, poping out the crash reporter tool from Google.

EBX, ESI and EDI gets overwritten (depending of the offset). The issue is triggered when double-clicking the file or thru Open menu by just selecting the file. Same happens with the 2 other apps included in this Pro version of Google SketchUp. LayOut 2.0 (current version: 2.0.10247) suffers from the same issue when insering the .skp file by File -> Insert -> evil.skp file. Style Builder 1.0 (current version: 1.0.10247) by going Preview -> Change Model -> evil.skp file.

Another issue is the DLL files provided with the Google SketchUp Pro package. ThumbsUp.dll and xerces-c_2_6.dll mingles with the Thumbnail view from Microsoft. If you select the created "SketchUp_PoC.skp" file, explorer.exe instantly crashes and restarts. Every application that uses Open Dialog Boxes will crash if you view the folder containing the PoC file in thumbnails view. Attaching files on e-mail thru Mozilla Firefox, viewing thumbnails of the PoC crashes Firefox with it's crash reporter, MS Office, Skype, MSN Messenger, etc...you name it.

--------------------------------------------------------------------------------


0012b310: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141

 0012b330: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe

 0012b350: 78134c58 0012b384 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b360

 0012b370: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac

 0012b390: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141

 0012b3b0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141

 0012b3d0: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b414 7c809abc 7c809ac6

 0012b3f0: 0012eee0 0012eee0 02c85744 0012b3f0 02c85744 0012eda8 7c839ac0 7c809ad0

 0012b410: ffffffff 7c809ac6 7c809ac6 0084bdac 41414141 41414141 41414141 41414141

 0012b430: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141

 0012b450: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe

 0012b470: 78134c58 0012b4a4 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b480

 0012b490: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac

 0012b4b0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141

 0012b4d0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141

 0012b4f0: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b534 7c809abc 7c809ac6

 0012b510: 0012eee0 0012eee0 02c85744 0012b510 02c85744 0012eda8 7c839ac0 7c809ad0

 0012b530: ffffffff 7c809ac6 7c809ac6 0084bdac 41414141 41414141 41414141 41414141

 0012b550: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141

 0012b570: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe

 0012b590: 78134c58 0012b5c4 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b5a0

 0012b5b0: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac

 0012b5d0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141

 0012b5f0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141

 0012b610: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b654 7c809abc 7c809ac6

--------------------------------------------------------------------------------

Vendor

Google Inc. - http://www.sketchup.com

Affected Version

7.0.10247

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

[23.07.2009] Vendor notified, fix scheduled to be included in the next upcoming release of Google SketchUp product.

PoC

google2.c
google1.pl

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://www.milw0rm.com/exploits/9317
[2] http://securityreason.com/exploitalert/6803
[3] http://www.securityfocus.com/bid/35911
[4] http://www.juniper.net/security/auto/vulnerabilities/vuln35911.html
[5] http://sebug.net/exploit/11958/
[6] http://www.venustech.com.cn/NewsInfo/124/4897.Html
[7] http://www.nsfocus.net/vulndb/13667
[8] http://www.packetstormsecurity.org/filedesc/googlesketchup-overflow.txt.html

Changelog

[01.08.2009] - Initial release

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk