Google SketchUp Pro 7.0 (.skp file) Remote Stack Overflow PoC
Title: Google SketchUp Pro 7.0 (.skp file) Remote Stack Overflow PoC
Advisory ID: ZSL-2009-4924
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 01.08.2009
EBX, ESI and EDI gets overwritten (depending of the offset). The issue is triggered when double-clicking the file or thru Open menu by just selecting the file. Same happens with the 2 other apps included in this Pro version of Google SketchUp. LayOut 2.0 (current version: 2.0.10247) suffers from the same issue when insering the .skp file by File -> Insert -> evil.skp file. Style Builder 1.0 (current version: 1.0.10247) by going Preview -> Change Model -> evil.skp file.
Another issue is the DLL files provided with the Google SketchUp Pro package. ThumbsUp.dll and xerces-c_2_6.dll mingles with the Thumbnail view from Microsoft. If you select the created "SketchUp_PoC.skp" file, explorer.exe instantly crashes and restarts. Every application that uses Open Dialog Boxes will crash if you view the folder containing the PoC file in thumbnails view. Attaching files on e-mail thru Mozilla Firefox, viewing thumbnails of the PoC crashes Firefox with it's crash reporter, MS Office, Skype, MSN Messenger, etc...you name it.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
google1.pl
[2] http://securityreason.com/exploitalert/6803
[3] http://www.securityfocus.com/bid/35911
[4] http://www.juniper.net/security/auto/vulnerabilities/vuln35911.html
[5] http://sebug.net/exploit/11958/
[6] http://www.venustech.com.cn/NewsInfo/124/4897.Html
[7] http://www.nsfocus.net/vulndb/13667
[8] http://www.packetstormsecurity.org/filedesc/googlesketchup-overflow.txt.html
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2009-4924
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 01.08.2009
Summary
Google SketchUp Pro 7 is a suite of powerful features and applications for streamlining your professional 3D workflow.Description
Google SketchUp Pro 7.0 suffers from a stack overflow vulnerability. It fails to handle the .skp file format resulting in crash overflowing the memory stack, poping out the crash reporter tool from Google.EBX, ESI and EDI gets overwritten (depending of the offset). The issue is triggered when double-clicking the file or thru Open menu by just selecting the file. Same happens with the 2 other apps included in this Pro version of Google SketchUp. LayOut 2.0 (current version: 2.0.10247) suffers from the same issue when insering the .skp file by File -> Insert -> evil.skp file. Style Builder 1.0 (current version: 1.0.10247) by going Preview -> Change Model -> evil.skp file.
Another issue is the DLL files provided with the Google SketchUp Pro package. ThumbsUp.dll and xerces-c_2_6.dll mingles with the Thumbnail view from Microsoft. If you select the created "SketchUp_PoC.skp" file, explorer.exe instantly crashes and restarts. Every application that uses Open Dialog Boxes will crash if you view the folder containing the PoC file in thumbnails view. Attaching files on e-mail thru Mozilla Firefox, viewing thumbnails of the PoC crashes Firefox with it's crash reporter, MS Office, Skype, MSN Messenger, etc...you name it.
--------------------------------------------------------------------------------
0012b310: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b330: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe
0012b350: 78134c58 0012b384 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b360
0012b370: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac
0012b390: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b3b0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b3d0: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b414 7c809abc 7c809ac6
0012b3f0: 0012eee0 0012eee0 02c85744 0012b3f0 02c85744 0012eda8 7c839ac0 7c809ad0
0012b410: ffffffff 7c809ac6 7c809ac6 0084bdac 41414141 41414141 41414141 41414141
0012b430: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b450: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe
0012b470: 78134c58 0012b4a4 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b480
0012b490: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac
0012b4b0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b4d0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b4f0: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b534 7c809abc 7c809ac6
0012b510: 0012eee0 0012eee0 02c85744 0012b510 02c85744 0012eda8 7c839ac0 7c809ad0
0012b530: ffffffff 7c809ac6 7c809ac6 0084bdac 41414141 41414141 41414141 41414141
0012b550: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b570: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe
0012b590: 78134c58 0012b5c4 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b5a0
0012b5b0: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac
0012b5d0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b5f0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b610: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b654 7c809abc 7c809ac6
--------------------------------------------------------------------------------
Vendor
Google Inc. - http://www.sketchup.comAffected Version
7.0.10247Tested On
Microsoft Windows XP Professional SP3 (English)Vendor Status
[23.07.2009] Vendor notified, fix scheduled to be included in the next upcoming release of Google SketchUp product.PoC
google2.cgoogle1.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.milw0rm.com/exploits/9317[2] http://securityreason.com/exploitalert/6803
[3] http://www.securityfocus.com/bid/35911
[4] http://www.juniper.net/security/auto/vulnerabilities/vuln35911.html
[5] http://sebug.net/exploit/11958/
[6] http://www.venustech.com.cn/NewsInfo/124/4897.Html
[7] http://www.nsfocus.net/vulndb/13667
[8] http://www.packetstormsecurity.org/filedesc/googlesketchup-overflow.txt.html
Changelog
[01.08.2009] - Initial releaseContact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk