Details of VAR-201602-0173

ID

VAR-201602-0173

CVE

CVE-2016-2536

TITLE

(0Day) SAP 3D Visual Enterprise Viewer SketchUp document Use-After-Free Remote Code Execution Vulnerability

Trust: 2.8

sources: ZDI: ZDI-16-173 // ZDI: ZDI-16-174 // ZDI: ZDI-16-176 // ZDI: ZDI-16-175

DESCRIPTION

Multiple use-after-free vulnerabilities in SAP 3D Visual Enterprise Viewer allow remote attackers to execute arbitrary code via a crafted SketchUp document. NOTE: the primary affected product may be SketchUp. In addition, this case SketchUp May be a vulnerability.Skillfully crafted by a third party SketchUp Arbitrary code may be executed through the documentation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of SketchUp documents. With a specially crafted SketchUp document, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process

Trust: 4.86

sources: NVD: CVE-2016-2536 // JVNDB: JVNDB-2016-001539 // ZDI: ZDI-16-173 // ZDI: ZDI-16-174 // ZDI: ZDI-16-176 // ZDI: ZDI-16-175 // CNVD: CNVD-2016-01480 // IVD: d4504b9c-1e42-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: d4504b9c-1e42-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-01480

AFFECTED PRODUCTS

vendor:	sap	model:	3d visual enterprise viewer	scope:	-	version:	-	Trust: 4.8
vendor:	sap	model:	3d visual enterprise viewer	scope:	eq	version:	*	Trust: 1.2
vendor:	google	model:	sketchup	scope:	eq	version:	*	Trust: 1.0
vendor:	trimble	model:	sketchup	scope:	-	version:	-	Trust: 0.8

sources: IVD: d4504b9c-1e42-11e6-abef-000c29c66e3d // ZDI: ZDI-16-173 // ZDI: ZDI-16-174 // ZDI: ZDI-16-176 // ZDI: ZDI-16-175 // CNVD: CNVD-2016-01480 // JVNDB: JVNDB-2016-001539 // CNNVD: CNNVD-201602-396 // NVD: CVE-2016-2536

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2016-2536
value:	MEDIUM
Trust: 2.8
nvd@nist.gov:	CVE-2016-2536
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-2536
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2016-01480
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201602-396
value:	MEDIUM
Trust: 0.6
IVD:	d4504b9c-1e42-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2016-2536
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 4.6
CNVD:	CNVD-2016-01480
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	d4504b9c-1e42-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2016-2536
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.0

PROBLEMTYPE DATA

problemtype:

CWE-399

Trust: 1.8

sources: JVNDB: JVNDB-2016-001539 // NVD: CVE-2016-2536

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-396

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201602-396

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001539

PATCH

title:	This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.06/30/2015 - Disclosed vulnerability reports to vendor09/28/2015 - The vendor let ZDI know that they would need an extension09/29/2015 - ZDI agreed to an extension02/09/2016 - ZDI notified the vendor that these would move to 0-day02/09/2016 - The vendor replied that: "This issue is related to SketchUp having this vulnerability. SketchUp has refused to provide a patch. Is it still possible to ask for an 'exceptional' extension for us to manage a work-around?"02/10/2016 - ZDI responded "No further extension can be granted."-- Mitigation:Given the stated purpose of SAP 3D Virtual Enterprise Viewer, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application to trusted files.-- Vendor Response:On 2/26/2016 SAP notified ZDI of the following available updates:2281195 < - Potential remote termination of running processes in SAP Visual Enterprise Author, Generator and ViewerAn attacker can remotely exploit SAP Visual Enterprise Author, Generator and Viewer version 8.0, which may lead to application termination.Customers are advised to apply Note 2281195 < immediately. We would like to remind our customers to secure SAP systems by installing all available security patches. You can find security notes and patches in the SAP Support Portal here <https://support.sap.com/securitynotes> .	url:	https://service.sap.com/sap/support/notes/2281195>	Trust: 2.8
title:	SAP 3D Visual Enterprise Viewer	url:	https://wiki.scn.sap.com/wiki/display/SVE/SAP+3D+Visual+Enterprise+Viewer	Trust: 0.8

sources: ZDI: ZDI-16-173 // ZDI: ZDI-16-174 // ZDI: ZDI-16-176 // ZDI: ZDI-16-175 // JVNDB: JVNDB-2016-001539

EXTERNAL IDS

db:	NVD	id:	CVE-2016-2536	Trust: 5.2
db:	ZDI	id:	ZDI-16-176	Trust: 3.7
db:	ZDI	id:	ZDI-16-173	Trust: 3.1
db:	ZDI	id:	ZDI-16-174	Trust: 3.1
db:	ZDI	id:	ZDI-16-175	Trust: 3.1
db:	BID	id:	83307	Trust: 1.0
db:	CNVD	id:	CNVD-2016-01480	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-001539	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2974	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2976	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2975	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2979	Trust: 0.7
db:	CNNVD	id:	CNNVD-201602-396	Trust: 0.6
db:	IVD	id:	D4504B9C-1E42-11E6-ABEF-000C29C66E3D	Trust: 0.2

REFERENCES

url:	https://service.sap.com/sap/support/notes/2281195>	Trust: 5.6
url:	https://support.sap.com/securitynotes>	Trust: 2.8
url:	http://www.zerodayinitiative.com/advisories/zdi-16-173	Trust: 2.4
url:	http://www.zerodayinitiative.com/advisories/zdi-16-174	Trust: 2.4
url:	http://www.zerodayinitiative.com/advisories/zdi-16-175	Trust: 2.4
url:	http://www.zerodayinitiative.com/advisories/zdi-16-176	Trust: 2.4
url:	http://www.securityfocus.com/bid/83307	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2536	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2536	Trust: 0.8
url:	http://www.zerodayinitiative.com/advisories/zdi-16-176/	Trust: 0.6

sources: ZDI: ZDI-16-173 // ZDI: ZDI-16-174 // ZDI: ZDI-16-176 // ZDI: ZDI-16-175 // CNVD: CNVD-2016-01480 // JVNDB: JVNDB-2016-001539 // CNNVD: CNNVD-201602-396 // NVD: CVE-2016-2536

CREDITS

Steven Seeley of Source Incite

Trust: 2.8

sources: ZDI: ZDI-16-173 // ZDI: ZDI-16-174 // ZDI: ZDI-16-176 // ZDI: ZDI-16-175

SOURCES

db:	IVD	id:	d4504b9c-1e42-11e6-abef-000c29c66e3d
db:	ZDI	id:	ZDI-16-173
db:	ZDI	id:	ZDI-16-174
db:	ZDI	id:	ZDI-16-176
db:	ZDI	id:	ZDI-16-175
db:	CNVD	id:	CNVD-2016-01480
db:	JVNDB	id:	JVNDB-2016-001539
db:	CNNVD	id:	CNNVD-201602-396
db:	NVD	id:	CVE-2016-2536

LAST UPDATE DATE

2024-08-14T14:33:50.016000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-16-173	date:	2016-02-18T00:00:00
db:	ZDI	id:	ZDI-16-174	date:	2016-02-18T00:00:00
db:	ZDI	id:	ZDI-16-176	date:	2016-02-18T00:00:00
db:	ZDI	id:	ZDI-16-175	date:	2016-02-18T00:00:00
db:	CNVD	id:	CNVD-2016-01480	date:	2016-03-08T00:00:00
db:	JVNDB	id:	JVNDB-2016-001539	date:	2016-03-02T00:00:00
db:	CNNVD	id:	CNNVD-201602-396	date:	2016-02-23T00:00:00
db:	NVD	id:	CVE-2016-2536	date:	2016-05-20T03:02:57.897

SOURCES RELEASE DATE

db:	IVD	id:	d4504b9c-1e42-11e6-abef-000c29c66e3d	date:	2016-03-08T00:00:00
db:	ZDI	id:	ZDI-16-173	date:	2016-02-18T00:00:00
db:	ZDI	id:	ZDI-16-174	date:	2016-02-18T00:00:00
db:	ZDI	id:	ZDI-16-176	date:	2016-02-18T00:00:00
db:	ZDI	id:	ZDI-16-175	date:	2016-02-18T00:00:00
db:	CNVD	id:	CNVD-2016-01480	date:	2016-03-08T00:00:00
db:	JVNDB	id:	JVNDB-2016-001539	date:	2016-03-02T00:00:00
db:	CNNVD	id:	CNNVD-201602-396	date:	2016-02-23T00:00:00
db:	NVD	id:	CVE-2016-2536	date:	2016-02-22T15:59:03.097