205 lines
No EOL
6.5 KiB
Text
205 lines
No EOL
6.5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA1
|
|
|
|
Core Security Technologies - CoreLabs Advisory
|
|
http://www.coresecurity.com/corelabs/
|
|
|
|
Blender .blend Project Arbitrary Command Execution
|
|
|
|
|
|
|
|
1. *Advisory Information*
|
|
|
|
Title: Blender .blend Project Arbitrary Command Execution
|
|
Advisory Id: CORE-2009-0912
|
|
Advisory URL:
|
|
http://www.coresecurity.com/content/blender-scripting-injection
|
|
Date published: 2009-11-05
|
|
Date of last update: 2009-11-04
|
|
Vendors contacted: Blender Foundation
|
|
Release mode: User release
|
|
|
|
|
|
|
|
2. *Vulnerability Information*
|
|
|
|
Class: Failure to Sanitize Data into a Different Plane [CWE-74]
|
|
Impact: Code execution
|
|
Remotely Exploitable: Yes (client side)
|
|
Locally Exploitable: No
|
|
Bugtraq ID: 36838
|
|
CVE Name: CVE-2009-3850
|
|
|
|
|
|
|
|
3. *Vulnerability Description*
|
|
|
|
Blender [2] is a 3D graphics application released as free software. It
|
|
can be used for modeling, texturing, rendering, particle, and other
|
|
simulations and creating interactive 3D applications, including games.
|
|
|
|
Blender embeds a python interpreter to extend its functionality.
|
|
Blender .blend project files can be modified to execute arbitrary
|
|
commands without user intervention by design. An attacker can take
|
|
full control of the machine where Blender is installed by sending a
|
|
specially crafted .blend file and enticing the user to open it.
|
|
|
|
|
|
4. *Vulnerable packages*
|
|
|
|
. Blender 2.49b
|
|
. Blender 2.40
|
|
. Blender 2.35a
|
|
. Blender 2.34
|
|
. Older versions are probably affected too, but they were not checked.
|
|
|
|
|
|
5. *Vendor Information, Solutions and Workarounds*
|
|
|
|
The vendor did not provide fixes or workaround information.
|
|
|
|
To determine if a .blend file is suspicious you could parse the
|
|
content of the file [3] searching for a SDNA [4] of type ScriptLink
|
|
[5] with python code bound to an "onLoad" action.
|
|
|
|
|
|
6. *Credits*
|
|
|
|
This vulnerability was discovered and researched by Diego Juarez and
|
|
Sebastian Tello from Core Security Technologies during Bugweek 2009 [1].
|
|
|
|
The publication of this advisory was coordinated by Fernando Russ from
|
|
Core Security Advisories Team.
|
|
|
|
|
|
7. *Technical Description / Proof of Concept Code*
|
|
|
|
Blender [2] .blend project files can be modified to execute arbitrary
|
|
commands without user intervention by design. An attacker can take
|
|
full control of the machine where Blender is installed sending a
|
|
specially crafted .blend file and enticing the user to open it.
|
|
|
|
These are the steps to reproduce the issue:
|
|
|
|
. Open the "Text Editor" Panel.
|
|
. Right click on the canvas and select "New".
|
|
. Write your python code there. For instance:
|
|
|
|
/-----
|
|
import os
|
|
os.system("calc.exe")
|
|
- -----/
|
|
|
|
. In the text name field (TX:Text.001) input a name for your
|
|
script, e.g.: TX:myscript.
|
|
. Open the "Buttons Window" panel.
|
|
. From the "panel" dropdown choose "Script".
|
|
. Check that "enable script links" is active.
|
|
. Click on "new".
|
|
. Select the script you created (e.g. myscript).
|
|
. Choose "OnLoad" from the event dropdown list.
|
|
. In the "User Preferences" panel, select File->Save, and save your
|
|
project.
|
|
|
|
|
|
8. *Report Timeline*
|
|
|
|
. 2009-10-19:
|
|
Core Security Technologies notifies to the Blender foundation of the
|
|
vulnerabilty and announces its initial plan to publish this advisory
|
|
on October 30th, 2009.
|
|
|
|
. 2009-10-20:
|
|
The Blender foundation answers that "We are a free software project,
|
|
all issues are openly discussed. Just post the discoveries you made
|
|
for everyone to look at."
|
|
|
|
. 2009-10-27:
|
|
Core sends a draft advisory to the Blender Foundation for this flaw.
|
|
Core also reminds the vendor its intention to publish the content on
|
|
October 30th, 2009.
|
|
|
|
. 2009-10-27:
|
|
BID 36838 was assigned to this issue
|
|
|
|
. 2009-11-03:
|
|
CVE 2009-3850 was assigned to this issue
|
|
|
|
. 2009-11-03:
|
|
The Blender Foundation didn't acknowledge or answer our comunications
|
|
anymore.
|
|
|
|
. 2009-11-05:
|
|
The advisory CORE-2009-0912 is published.
|
|
|
|
|
|
|
|
9. *References*
|
|
|
|
[1] The author participated in Core Bugweek 2009 as member of the team
|
|
"Gimbal Lock N Load".
|
|
[2] http://www.blender.org/
|
|
[3] http://www.atmind.nl/blender/mystery_ot_blend.html
|
|
[4] http://www.atmind.nl/blender/blender-sdna.html
|
|
[5] http://www.atmind.nl/blender/blender-sdna.html#struct:ScriptLink
|
|
|
|
|
|
10. *About CoreLabs*
|
|
|
|
CoreLabs, the research center of Core Security Technologies, is
|
|
charged with anticipating the future needs and requirements for
|
|
information security technologies. We conduct our research in several
|
|
important areas of computer security including system vulnerabilities,
|
|
cyber attack planning and simulation, source code auditing, and
|
|
cryptography. Our results include problem formalization,
|
|
identification of vulnerabilities, novel solutions and prototypes for
|
|
new technologies. CoreLabs regularly publishes security advisories,
|
|
technical papers, project information and shared software tools for
|
|
public use at: http://www.coresecurity.com/corelabs.
|
|
|
|
|
|
11. *About Core Security Technologies*
|
|
|
|
Core Security Technologies develops strategic solutions that help
|
|
security-conscious organizations worldwide develop and maintain a
|
|
proactive process for securing their networks. The company's flagship
|
|
product, CORE IMPACT, is the most comprehensive product for performing
|
|
enterprise security assurance testing. CORE IMPACT evaluates network,
|
|
endpoint and end-user vulnerabilities and identifies what resources
|
|
are exposed. It enables organizations to determine if current security
|
|
investments are detecting and preventing attacks. Core Security
|
|
Technologies augments its leading technology solution with world-class
|
|
security consulting services, including penetration testing and
|
|
software security auditing. Based in Boston, MA and Buenos Aires,
|
|
Argentina, Core Security Technologies can be reached at 617-399-6980
|
|
or on the Web at http://www.coresecurity.com.
|
|
|
|
|
|
12. *Disclaimer*
|
|
|
|
The contents of this advisory are copyright (c) 2009 Core Security
|
|
Technologies and (c) 2009 CoreLabs, and may be distributed freely
|
|
provided that no fee is charged for this distribution and proper
|
|
credit is given.
|
|
|
|
|
|
13. *PGP/GPG Keys*
|
|
|
|
This advisory has been signed with the GPG key of Core Security
|
|
Technologies advisories team, which is available for download at
|
|
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.0.12 (MingW32)
|
|
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
|
|
|
|
iEYEARECAAYFAkrzB5QACgkQyNibggitWa3zbwCfYhTo5o2x1lggJ2dZjAx1uQyp
|
|
YEkAoKjU9/gtdrUV7zHGFo6H9GJUyW7W
|
|
=FxMs
|
|
-----END PGP SIGNATURE-----
|
|
|
|
_______________________________________________
|
|
Full-Disclosure - We believe in it.
|
|
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
|
|
Hosted and sponsored by Secunia - http://secunia.com/ |