Vulnerability Note VU#586958
SketchUp Viewer buffer overflow vulnerability
Overview
SketchUp Viewer version 13.0.4124 is vulnerable to a buffer overflow when opening a malformed .SKP file.
Description
CWE-121: Stack-based Buffer Overflow - CVE-2013-6038 SketchUp Viewer version 13.0.4124 is vulnerable to a stack buffer overflow when parsing a specially crafted .SKP file. When executed, it may allow a remote unauthenticated attacker to run arbitrary code in the context of the logged in user. It is unknown if other versions of this software are also affected. |
Impact
By convincing a user to open a specially crafted .SKP file with SketchUp, a remote unauthenticated attacker could execute arbitrary code on a vulnerable system in the context of the logged in user. |
Solution
We are currently unaware of a practical solution to this problem. |
Use the Microsoft Enhanced Mitigation Experience Toolkit |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| SketchUp | Affected | 24 Sep 2013 | 13 Dec 2013 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 4.4 | AV:L/AC:M/Au:N/C:P/I:P/A:P |
| Temporal | 4.0 | E:POC/RL:U/RC:C |
| Environmental | 1.0 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND |
References
- http://cwe.mitre.org/data/definitions/121.html
- http://support.microsoft.com/kb/2458544
- http://www.us-cert.gov/ncas/tips/ST04-010
Credit
Thanks to Christopher Gabriel of Telos Corporation for reporting this vulnerability.
This document was written by Chris King.
Other Information
- CVE IDs: CVE-2013-6038
- Date Public: 12 Dec 2013
- Date First Published: 12 Dec 2013
- Date Last Updated: 13 Dec 2013
- Document Revision: 15
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.