Talos Vulnerability Report

TALOS-2018-0680

AutoDesk AutoCAD 2019 cell margin code execution vulnerability

February 14, 2019
CVE Number

CVE-2019-7359

Summary

An exploitable heap overflow vulnerability exists in the DXF-parsing functionality of AutoDesk AutoCAD 2019 P.46.0.0. A specially crafted DXF file with too many cell margins populating an AcCellMargin object can cause a heap overflow, resulting in code execution. An attacker can provide a victim with a specially crafted DXF file to exploit the vulnerability.

Tested Versions

AutoDesk AutoCAD 2019 P.46.0.0

Product URLs

https://www.autodesk.com/products/autocad/overview

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-122: Heap-based Buffer Overflow

Details

AutoDesk AutoCAD is a design and drafting application. AutoCAD helps civil engineers draft practically any civil engineering structure with ease, speed and accuracy. This application also helps engineers solve design issues earlier in the design process.

One of the file formats AutoCAD supports is DXF (Drawing Exchange Format). DXF was developed by AutoDesk to help pass data between the variety of AutoDesk applications. The format is a tagged data format where each element is prepended with a number that represents a group code signifying how the data is interpreted.

The module used for analysis is shown below.

0:000> lm vm acdb23
start             end                 module name
00007ffd`bc550000 00007ffd`bda40000   acdb23     (export symbols)       C:\Program Files\Autodesk\AutoCAD 2019\acdb23.dll
    Loaded symbol image file: C:\Program Files\Autodesk\AutoCAD 2019\acdb23.dll
    Image path: C:\Program Files\Autodesk\AutoCAD 2019\acdb23.dll
    Image name: acdb23.dll
    Timestamp:        Mon Jan 29 20:32:20 2018 (5A6FF554)
    CheckSum:         014D5C2F
    ImageSize:        014F0000
    File version:     23.0.46.0
    Product version:  23.0.46.0

One element type handled by the DXF parser is the AcCellMargin. The creation of an AcCellMargin begins with a malloc of 0x38 bytes. This memory region is then passed to the following function for initialization.

acdb23.dll+d7998
.text:00000000010D7998     init_AcCellMargin proc near             ; CODE XREF: sub_10D66B8+32↑p
.text:00000000010D7998                                             ; sub_1A6ED0C+2C0↓p ...
.text:00000000010D7998 000                 lea     rax, const AcCellMargin::`vftable' ; [1]
.text:00000000010D799F 000                 xor     edx, edx
.text:00000000010D79A1 000                 mov     [rcx], rax
.text:00000000010D79A4 000                 lea     r8, [rcx+8]
.text:00000000010D79A8
.text:00000000010D79A8 000                 lea     rax, [rdx-4]
.text:00000000010D79AC 000                 cmp     rax, 1
.text:00000000010D79B0 000                 mov     rax, 3FAEB851EB851EB8h
.text:00000000010D79BA 000                 jbe     short loc_10D79D0
.text:00000000010D79BC
.text:00000000010D79BC 000                 mov     [r8], rax                          ; [2]
.text:00000000010D79BF 000                 inc     rdx
.text:00000000010D79C2 000                 add     r8, 8
.text:00000000010D79C6 000                 cmp     rdx, 6
.text:00000000010D79CA 000                 jl      short loc_10D79A8
.text:00000000010D79CC 000                 mov     rax, rcx
.text:00000000010D79CF 000                 retn

This element is initialized with the AcCellMargin vtable [1], as well as initialized with six values for the six different margins available [2]. When parsing a group code of value 301, this AcCellMargin can be set using values from the DXF file. The code id of 40 is used to mark values to be written to the AcCellMargin.

acdb23.dll+a7002f
                        top_loop:
.text:0000000001A7002F 058  mov     rax, [rbx]
.text:0000000001A70032 058  lea     rdx, [rsp+58h+data_read_from_file]
.text:0000000001A70037 058  mov     rcx, rbx
.text:0000000001A7003A 058  add     rdi, 8                ; [6]
.text:0000000001A7003E 058  call    qword ptr [rax+98h]   ; [3]
.text:0000000001A70044 058  test    eax, eax
.text:0000000001A70046 058  jnz     short break_loop
.text:0000000001A7004D 058  cmp     eax, 40
.text:0000000001A70050 058  jnz     short break_loop      ; [4]
.text:0000000001A70052 058  movsd   xmm0, [rsp+58h+new_margin_value]
.text:0000000001A70058 058  movsd   qword ptr [rdi], xmm0 ; [5]
.text:0000000001A7005C 058  jmp     short top_loop

The code above a data block from the file [3] and checks if the ID of the data read is 40. If it is 40 [4], then the value of the data block is written to the AcCellMargin object [5] and the reference in the AcCellMargin is incremented [6]. This process continues until a non-40 data block is read. If more than six values are read and written, the original AcCellMargin memory region is overflown causing a heap buffer overflow, resulting in code execution with a carefully crafted file.

Crash Information

(1934.be4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Autodesk\AutoCAD 2019\acdb23.dll - 
acdb23!zapset+0x4118:
00007ffd`44a10058 f20f1107        movsd   mmword ptr [rdi],xmm0 ds:000001e1`43985000=????????????????

Timeline

2018-10-01 - Vendor Disclosure
2019-02-14 - Public Release

Credit

Discovered by Cory Duplantis of Cisco Talos.