Executive Summary

Summary
Title SketchUp Viewer buffer overflow vulnerability
Informations
Name VU#586958 First vendor Publication 2013-12-12
Vendor VU-CERT Last vendor Modification 2013-12-12
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#586958

SketchUp Viewer buffer overflow vulnerability

Original Release date: 12 Dec 2013 | Last revised: 12 Dec 2013

Overview

SketchUp Viewer version 13.0.4124 is vulnerable to a buffer overflow when opening a malformed .SKP file.

Description

CWE-121: Stack-based Buffer Overflow - CVE-2013-6038

SketchUp Viewer version 13.0.4124 is vulnerable to a stack buffer overflow when parsing a specially crafted .SKP file. When executed, it may allow a remote unauthenticated attacker to run arbitrary code in the context of the logged in user. It is unknown if other versions of this software are also affected.

Impact

By convincing a user to open a specially crafted .SKP file with SketchUp, a remote unauthenticated attacker could execute arbitrary code on a vulnerable system in the context of the logged in user.

Solution

We are currently unaware of a practical solution to this problem.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of these vulnerabilities.

Use caution when opening email attachments

See US-CERT tip ST04-010 for details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SketchUpUnknown24 Sep 201304 Dec 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base4.4AV:L/AC:M/Au:N/C:P/I:P/A:P
Temporal4.0E:POC/RL:U/RC:C
Environmental1.0CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://cwe.mitre.org/data/definitions/121.html
  • http://support.microsoft.com/kb/2458544
  • http://www.us-cert.gov/ncas/tips/ST04-010

Credit

Thanks to Christopher Gabriel of Telos Corporation for reporting this vulnerability.

This document was written by Chris King.

Other Information

  • CVE IDs:CVE-2013-6038
  • Date Public:12 Dec 2013
  • Date First Published:12 Dec 2013
  • Date Last Updated:12 Dec 2013
  • Document Revision:15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/586958

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2013-12-18 13:21:53
  • Multiple Updates
2013-12-17 21:23:51
  • Multiple Updates
2013-12-14 17:17:58
  • Multiple Updates
2013-12-13 05:17:55
  • First insertion