Overview
SketchUp Viewer version 13.0.4124 is vulnerable to a buffer overflow when opening a malformed .SKP file.
Description
CWE-121: Stack-based Buffer Overflow - CVE-2013-6038 SketchUp Viewer version 13.0.4124 is vulnerable to a stack buffer overflow when parsing a specially crafted .SKP file. When executed, it may allow a remote unauthenticated attacker to run arbitrary code in the context of the logged in user. It is unknown if other versions of this software are also affected. |
Impact
By convincing a user to open a specially crafted .SKP file with SketchUp, a remote unauthenticated attacker could execute arbitrary code on a vulnerable system in the context of the logged in user. |
Solution
We are currently unaware of a practical solution to this problem. |
Use the Microsoft Enhanced Mitigation Experience Toolkit |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 4.4 | AV:L/AC:M/Au:N/C:P/I:P/A:P |
| Temporal | 4 | E:POC/RL:U/RC:C |
| Environmental | 1.0 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Christopher Gabriel of Telos Corporation for reporting this vulnerability.
This document was written by Chris King.
Other Information
| CVE IDs: | CVE-2013-6038 |
| Date Public: | 2013-12-12 |
| Date First Published: | 2013-12-12 |
| Date Last Updated: | 2013-12-13 18:34 UTC |
| Document Revision: | 17 |