Trimble SketchUp Heap Buffer Overflow (Aug 2, 2013)

Trimble SketchUp is a 3D modeling program for a broad range of applications such as architectural, civil, mechanical, film as well as video game design – and available as Sketchup Make, a free version, and Sketchup Pro, a paid version. The company ownership has transitioned through an initial independent stage (2000-2006), a second phase under Google ownership (2006-2012), to its current ownership under Trimble Navigation, a mapping, surveying, and navigation equipment company.

The free version of Sketchup can export 3D to .dae and Google Earth’s .kmz file format. The Pro version extends exporting support to include the .3ds, .dwg, .dxf, .fbx, .obj, .xsi, and .wrl file formats. SketchUp can also save elevations or renderings of the model, called “screenshots”, as .bmp, .png, .jpg, .tif, with the Pro version also supporting .pdf, .eps, .epx, .dwg, and .dxf.

The BMP file format (.bmp), also known as bitmap image file or device independent bitmap (DIB) file format or simply a bitmap, is a raster graphics image file format used to store bitmap digital images, independently of the display device (such as a graphics adapter), especially on Microsoft Windows and OS/2 operating systems. The BMP file format is capable of storing 2D digital images of arbitrary width, height, and resolution, both monochrome and color, in various color depths, and optionally with data compression, alpha channels, and color profiles.

Each BMP file starts with two consecutive headers, the File Header and the Image Header. The Image Header has the following structure:

 offset  field name      type    description ------  --------------- ------- ----------------------------- 0x000E  biSize          int32   Header Size 0x0012  biWidth         int32   Image width in pixels 0x0016  biHeight        int32   Image height in pixels 0x001A  biPlanes        int16   Number of planes - usually 1 0x001C  biBitCount      int16   Number of bits per pixel - 1, 4, 8, 16, 24, or 32 0x001E  biCompression   int32   Compression type 0x0022  biSizeImage     int32   Image Size 0x0026  biXPelsPerMeter int32   Preferred resolution in pixels per meter 0x002A  biYPelsPerMeter int32   Preferred resolution in pixels per meter 0x002E  biClrUsed       int32   Number color map entries used 0x0032  biClrImportant  int32   Number of significant colors 

A heap buffer overflow exists in Trimble Navigation’s SketchUp. The vulnerability is due to insufficient validation of the size of a buffer before copying the data into the buffer. Remote attackers may exploit this vulnerability by persuading a target user to open a specially crafted BMP or SKP file on a system that has Trimble SketchUp installed. Successful exploitation may possibly lead to arbitrary code execution in the security context of the logged in user.

Dell SonicWALL Threat Research team has investigated this vulnerability and released the following signatures addressing the issue:

• IPS 5945: Client Application Shellcode Exploit 18
• SPY 4668: Malformed-File skp.TL.1

This vulnerability has been assigned by CVE as CVE-2013-3663.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.