Untrusted Search Path Vulnerability In Microsoft Auto Updater For Mac

Vulnerability

Two Vulnerabilities of AutoCAD: CVE-2014-0818 and CVE-2014-0819 Mar 16, 2014 @kaito834 - Overview - AutoCAD 2013 and earlier version contained untrusted search path vulnerabilities. When the AutoCAD load FAS or DLL file, the AutoCAD search these files on current working directory. Therefore, attacker or malware could load own FAS or DLL file when AutoCAD user opened DWG file on a directory stored these DLL or FAS file. The vendor, Autodesk, Inc, fixed these vulnerabilities in AutoCAD 2014. These vulnerabilities were assigned CVE-2014-0818 and CVE-2014-0819. CVE-2014-0818/JVN#33382534 CVE-2014-0819/JVN#43254599 - Background - On June 2012, ESET posted blog entry (.1) about ACAD/Medre.A, a worm written in AutoLISP.

Untrusted Search Path Vulnerability In Microsoft Auto Updater For Mac Free

The blog entry explained the malware abused automatic loading of AutoLISP routines. I interested in search path of AutoCAD and consulted AutoCAD official document. And, I confirmed that AutoCAD search AutoLisp code firstly on current working directory (.2) if AutoLisp code was loaded by only filename. As a result, I wrote a Proof of Concept based the ESET blog entry and reported malware issue as untrusted search path vulnerability to IPA (.3). (.1): (.2): (Japanese) (.3): INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN - Procedure for reproducing issue - I confirmed this procedure on AutoCAD 2013, version G.55.0.0. (1) Launch AutoCAD 2013 and saved empty dimensional design data as Drawing1.dwg.

Then, store the Drawing1.dwg with PoC code, Acad.fas (.4), on C: exploit. (2) After Process Monitor (.5) is launched, open Drawing1.dwg by double-click.

Untrusted Search Path Vulnerability In Microsoft Auto Updater For Mac Windows 10

(3) Launched AutoCAD 2013, and launched calc.exe at same time. Then, look up Process Monitor and you can confirm that Acad.fas is loaded on current working directory stored Drawing1.dwg. And, look up Event Properties - Stack of Process Monitor and you can see that accore.dll load Acad.fas.

(.4): PoC code is not explained this advisory. Please contact to me if you were interested in PoC. (.5): - Timeline - Jul 3, 2012 I reported the vulnerability to IPA by email, and IPA responded that we received the vulnerability report. Aug 6, 2012 IPA informed me that we confirmed the report and submitted to vendor, Autodesk, Inc, by email. Mid-Aug 2012 The vendor released AudoCAD 2013 Service Pack 1(SP1) that provided new security feature; see Reference.

Apr 4, 2013 I inquired at IPA whether the vunlerability was fixed or not by email. Apr 18, 2013 IPA answered to me that the vendor released SP1 and would fix the vulnerability in the future by email. May 11, 2013 I inquired at IPA whether CVE-2014-0818 was fixed, and CVE-2014-0819 was not fixed by email. May 22, 2013 IPA answered to me that CVE-2014-0818 and CVE-2014-0819 were not fixed, and would be fixed in the future by email. Aug 22, 2013 I inquired at IPA whether the vulnerability and CVE-2013-3665 were different or not by email. Sep 4, 2013 IPA responded to me that we were waiting for reply from vendor by email.

Untrusted Search Path Vulnerability In Microsoft Auto Updater For Mac Mac

Mid-Sep 2013 IPA answered to me that the vulnerability and CVE-2013-3665 were different by email. Feb 21, 2014 The vendor fixed CVE-2014-0818 and CVE-2014-0819, and IPA puslished the advisories: JVN#33382534 and JVN#43254599. Reference -. Hatena Diary(my blog post in Japanse). Autodesk, Inc.

Vulnerability related to CVE-2014-0818.